In the first major enforcement of the European Union’s new General Data Protection Regulation (GDPR), Internet search giant Google has been hit with a 50 million Euro fine for breaches of the regulation found during an investigation by France’s National Data Protection Commission (CNIL).
First Major Enforcement of the European Union’s GDPR
Since taking effect last year, the GDPR has been enforced throughout 2018, such as the action taken against AggregateIQ Data Services Ltd, a Canadian firm, by the UK’s Information Commissioner’s Office (ICO) .
The new fine against Google CNIL announced today, however, is orders of magnitude larger than the fines levied against prior offenders. The ICO, for instance, levied the maximum fine against Facebook for its role in connection with the Cambridge Analytica scandal which amounted to 500,000 pounds sterling.
This new fine by CNIL is nearly 100 times that amount and marks the beginning of a new era in data collection and protection compliance.
Google Caught on the Wrong Side of the GDPR
The enforcement action stems from two complaints made by None of Your Business (NOYB) and La Quadrature du Net (LQDN) on the 25th and the 28th of May, 2018. These organizations accused Google of lacking the legal basis for collecting and processing user data in connection with their ad personalization system.
CNIL began investigating the complaints in accordance with the GDPR and in September 2018 carried out their own online inspection of Google’s services to examine Google’s compliance with the GDPR and the French Data Protection Act (FDPA).
According to CNIL, this examination analyzed “the browsing pattern of a user and the documents he or she [could] access, when creating a GOOGLE account during the configuration of…mobile equipment using Android [, Google’s mobile device operating system].”
Lack of Information and Transparency
The regulator found that the information Google is required by the GDPR and the FDPA to provide the user is opaque and not easily found by a user. Information on how a user’s data is going to be processed, stored, and used were spread across several different documents that required clicking through multiple buttons and links to find, as many as 6 according to the regulator’s examination.
Further, the information the company did provide was not sufficient to fully inform users about the extent of Google’s data collection and processing procedures, which are extensive, as they are spread over more than a dozen services from Gmail to YouTube.
CNIL cited Google for not clearly explaining to users that the legal basis for their data collection and processing relies on user consent, and not the company’s legitimate business purposes. Google also did not provide the retention period for some user data as required by the GDPR and FDPA, according to the regulators.
Lack of Required User Consent
All this led the regulators to reject the company’s claim that they obtained the user’s consent for their ad personalization services. First, users are not given enough information, according to CNIL, to give the company informed consent to use their data.
Second, control of the ad personalization data is provided to the user but is more or less tucked away under a “more options” page when creating an account that most users won’t even think to click on. What’s more, the ad personalization option is an opt-out selection, meaning that users are processed through ad personalization by default, violating the GDPR requirement that all consent must be unambiguous and an affirmative choice by the user.
Implications for Compliance
This enforcement has already sent shockwaves through the Internet as it has massive implications for companies reliance on Terms of Service Agreements for all sorts of data collection. In light of this action, companies may have to entirely rewrite the user agreements that they have been relying on for decades.
At 25 million euros per complaint, if this Google fine is any precedent, is too costly for companies to write off as simply the cost of doing business, so we should expect big changes in how companies approach these issues in the future.