Google’s GDPR fine – how did it happen and what can we learn?

Google building
Under GDPR, businesses can receive a fine of up to 4% of their global turnover

With GDPR having been in force for just over eight months, Google is the first to receive a fine under the EU-wide regulation. The fine was issued by the French regulator CNIL (National Commission of Computing and Freedoms) and the €50 million fine shows that the EU is ready to flex its muscles in enforcing the law.

How did the complaint come about?

In May 2018, just days after GDPR came into force, two French advocacy groups, Quadrature du Net and None Of Your Business (NOYB), filed complaints against Google. The complaints were based on the default privacy settings when signing up for a Google account on Android, with consent boxes being pre-ticked. La Quadrature du Net presented this as evidence of how large corporations such as Google “interpret the the law (GDPR) differently” and said “claiming to be compliant is simply not enough”. The group will now be following up with the CNIL to see that Apple, Face, Amazon and Microsoft, who they also filed complaints against in May, are also fined.

What did Google do wrong?

The main basis for the complaint was the manner in which Google obtained consent to advertise to users when they create an account. The default setting when signing up for a Google account is for them to display personalized ads, with users having to manually disable the setting should they not wish to receive such advertisements. In an additional breach, Google requires people who sign up to a Google account to agree to its terms and conditions in full via pre-ticked boxes. This approach implies that users must either agree to all the settings or not use the service at all.

GDPR outlawed the practice of businesses relying on pre-ticked boxes to obtain consent. They must allow users to choose how their information is used. Consent is just one of the six conditions for processing data that businesses can rely on and businesses must make it clear which condition they are relying on in their privacy notice at the time the data is collected.

Learn more: free GDPR resources

What is Google’s response?

It may come as no surprise that Google seems to feel they are acting lawfully. A Google spokesperson said “We’re deeply committed to meeting those expectations and the consent requirements of GDPR”, which is the response you’d expect from a large company that’s just been exposed and has their reputation at risk. However, they also plan to contest the changes the CNIL are suggesting, saying the decision should only apply to their European sites such as Google.fr and not Google.com, despite the fact that a lot of Google.com users are based in Europe. Further, La Quadrature du Net is now trying to fight another decision by Google, to move their headquarters to Ireland, where GDPR enforcement is perceived as more lax.

What this means for businesses

While the fine is only a small amount for the giant, the fine demonstrates that no company is above the law. Complaints are being taken seriously by authorities, with the UK’s Information Commisioner’s Office (ICO) having already fined several companies under the pre-GDPR Data Protection Act 1998. Further, businesses should ensure they have chosen at least one condition for processing data and that their privacy notices make that clear. Providing GDPR training to all staff, particularly those that regularly process personal data such as marketing and HR, will help ensure employees comply with the law.

Further, marketers will want to keep an eye on how Google changes its sign-up processes going forward. If allowing ads is no longer a default setting, businesses will not be able to target as many users with their ads. However, this also gives businesses the opportunity to maximise their advertising budget by only marketing to those that have given consent to being advertised to. The fine therefore offers a warning to all businesses on the repercussions of GDPR non-compliance, while giving marketers some food for thought.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.