The French data protection regulator, CNIL, has penalized Google to the tune of €50m for breaching the European Union’s General Data Protection Regulation (GDPR).
The CNIL issued a public statement which said that Google was being subjected to the penalty as it was not able to provide users with information regarding its data consent policies. Along with this the CNIL stated that Google did not allow users to manage how their private information is being shared, etc. Under GDPR legislation, which was made applicable in the E.U. from May 25 2018, all organization’s must have the user’s ‘genuine consent’ before gathering their data.
The initial complaint was submitted to CNIL by the group ‘None of Your Business’ which was established by Austrian Privacy sponsor Max Schrems. A separate complaint was submitted by France’s ‘Quadrature du Net’ group on behalf of 10,000 signatories.
A CNIL representative stated: “(Also) the information provided is not sufficiently clear for the user to understand the legal basis for targeted advertising is consent, and not Google’s legitimate business interests. The amount decided, and the publicity of the fine is justified by the severity of the infringements observed regarding the essential principles of the General Data Protection Regulation (GDPR): transparency, information and consent. Moreover, the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.”
A Google executive commented on the penalty, reiterating that the company is dedicated to meeting the high standards of transparency and control that its users deserve. They said that the company was considering CNIL’s decision in order to determine its next actions. He stated: “People expect high standards of transparency and control from us. We are deeply committed to meeting those expectations and the consent requirements of the GDPR. We are studying the decision to determine our next steps.”
So far, this is the largest fine to be applied for breaching GDPR. This legislation says that a company which is discovered to be in breach of it may be fined €20m or 4% of annual global revenue for the previous financial year. Google could have been hit with a much higher fine given that the annual global revenue of the company for the last quarter of 2018 was just under €30bn according to Statista.
Schrems reacted to the penalty saying: “We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law,” said Schrems in a statement. Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”