The French supervisory authority, Commission nationale de l’informatique et des libertés, has fined Google 50 million euros for breaching the GDPR. The CNIL said that the fine is due to “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”.
The investigation was commenced back on the 1st of June 2018 following group complaints initiated by not-for-profit None of Your Business (NOYB) chaired by Max Schrems and La Quadrature du Net (LQDN) following complaints from 100,000 people. Whilst Google’s European Headquarters are situated in Ireland, the CNIL found that it did not have decision making powers and so the ‘one stop shop’ mechanism was not applicable. As a result, and in line with the European Data Protection Boards guidelines, the CNIL was competent to take any decision regarding the operations carried out by Google.
The supervisory authority found that Google failed to obtain consent, have a lawful basis to process personal information and lacked transparency.
The consent obtained by Google was found to be neither sufficiently informed, specific or unambiguous. The authority stated that the processing operations for the adverts was “diluted in several documents and does not enable the user to be aware of their extent”. The CNIL found that the option to personalise ads when opening an account was pre-ticked, making it an ‘opt-out’ process which goes against the legislation. Moreover, the authority found “users are not able to fully understand the extent of the processing operations carried out by Google”, meaning that Google have failed to follow the first principle of the GDPR, that personal data shall be processed in a “transparent manner”.
Whilst this seems a rather hefty fine, to put it into perspective, Google made 33 billion dollars in the last quarter, so not quite the allowable maximum fine of 4% of a company’s global annual turnover allowed by the GDPR.
Google have responded by saying that “people expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR” and will be studying the decision to determine its next steps.
Bridewell Consultants have over 20 years combined experience, ranging from working with global organisations through to regulators such as the ICO. We have developed a vast set of industry proven methodologies and have supported many organisations in developing their privacy programmes and meeting their obligations under relevant privacy law. Our consultants also possess internationally recognised qualifications to underpin their experience such as Fellow of Information Privacy (FIP), Certified Information Privacy Professional/Europe (CIPP/E), Certified Information Privacy Technologist (CIPT), Data Protection Practioner (PC.dp) and certifications in the General Data Protection Regulation. We pride ourselves on acting as a trusted advisor for our clients and being able to interpret privacy legislation and ensure it is practically implemented into our client’s business operations. Give us a call and discover how we can help you stay secure and compliant – 01189 255 084.
Written by Becky Nicholson