Now it’s Personal: Google Hit with First Heavy GDPR Fine

Posted by Ashley M. Bowcott on

This blog recently introduced the General Data Protection Regulations (GDPR), which were enacted by the European Union (EU) in May 2018. Since that entry, the first significant fine under the GDPR has been issued and it’s against a company to which everyone has provided data: Google.

Although social media platforms like Facebook have received more widespread criticism over the use (or misuse) of data in recent years, it was Google that was first to face the major consequences of the GDPR. The $57 million fine was issued by the French data protection regulator CNIL. CNIL fined Google for failing to meet GDPR standards in providing information to customers about how their data is being used, particularly in regard to personalized ads. Additionally, Google did not provide sufficient information regarding its data consent policies.

For data privacy advocates, the fine was a long time coming. Within minutes of the GDPR’s passage in May 2018, the privacy rights organization None of Your Business (NOYB) filed complaints against companies in four EU countries alleging issues of forced consent on Google, Facebook, Whatsapp, and Instagram.

Ultimately, CNIL issued the fine against Google because it found there were continuous breaches of the GDPR rather than a “one-off, time-limited [] infringement.”[1] The GDPR requires that consent be freely given when an individual agrees to any processing of personal data. To ensure consent is genuine, the entity must make clear the extent to which the consumer is providing consent. If violated, companies may be fined up to 4% of their annual global revenue. This could result in fines substantially larger than the one Google is currently appealing.

The GDPR’s reach is significant and its authority is broad, as evidenced by the fact that the French CNIL issued the fine despite Google’s European headquarters being located in Ireland. Globalized business activity now poses increased risks as GDPR violations may come from multiple EU countries. Now that Google has been fined under the GDPR, many think that fines will become more common practice. Therefore, it is more important than ever to ensure your business complies with the GDPR if it is required. Moreover, there has been a push for similar regulations in the United States. Some states have already begun to impose their own privacy protections and others are sure to follow even if federal privacy legislation isn’t enacted.

The hefty fine incurred by Google shows that there is no company too big to be subject to the GDPR. If you have questions about better protecting data for your company, we’re happy to help.

[1] CNIL, The CNIL’s Restricted Committee Imposes a Financial Penalty of 50 Million Euros Against Google LLC (Jan. 21, 2019), https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc.