During the mad scramble for General Data Protection Regulation (GDPR) compliance in the early part of last year, industry analysts were still speculating about the priorities and rigor of the European Union (EU) regulators. Major GDPR fines at the beginning of 2019 have helped to bring some much-needed clarity. The 50 million euro fine handed out to Google by supervisory authorities indicates that regulators are taking the letter of the law very seriously.
Google’s big GDPR violation
Google received the €50 million fine from French regulator CNIL for failing to adequately inform users about their data collection practices, and not giving users enough control over how their information is used.
The complaints were brought by two French privacy advocacy organizations shortly after the new data protection law went into effect in 2018. CNIL found that information on how data is used is not easily accessible enough to users, with important facts scattered across too many different documents. CNIL also found that some of Google’s descriptions of their data processing methods were too vague or unclear.
On this basis, CNIL ruled that the search giant failed to comply with the GDPR by not adequately obtaining the consent of users, particularly emphasizing that consent must be given for each specific purpose of data use rather than *en masse* with one checkbox that covers multiple purposes.
The record size of the fine was based on the number of violations in the French market (given Google’s tremendous user base) and the fact that the violations are continuous and remain unaddressed.
Tech giants in the crosshairs for major GDPR fines?
This was the first GDPR fine for one of the “whales” of the tech world, and also the largest fine levied against anyone to date.
Relatively speaking, the fine is very little to a company that makes in the neighborhood of 30 billion euros per quarter. It was over 10 times larger than any previous GDPR fines, however, and was also relatively lenient in terms of what the GDPR allows. Given that “conditions of consent” were involved, the maximum total of GDPR fines for this sort of infraction could have amounted to as much as 4% of Google’s annual global turnover.
It’s reasonable to believe that this initial fine wasn’t meant so much as a deterrent as it was a warning. Google will have to pause and reconsider how it collects and handles its ream of advertising data, and consumer awareness of protected categories of personal data is likely to increase as GDPR fines like this are handed out.
Though it could potentially be on the hook for larger GDPR fines in the future should they not comply with the CNIL decision, a Google spokesperson has announced that the company plans to appeal.
Perhaps the biggest takeaway from this fine is that it may signal a priority shift for the European data protection authorities. The GDPR fines issued to date have targeted much smaller entities, and the pattern seemed arbitrary – a hospital in Lisbon, a relatively small social media company based in Germany and a local business in Austria that had a CCTV security camera pointing the wrong way. Investigations and GDPR fines are initiated after complaints are made, but one has to assume numerous complaints have already been lodged about nearly any enterprise-scale company that gathers personal data. Observers have been wondering when the floodgates would open for the major tech companies, and this may be the first of many GDPR fines for them in 2019.