Google Fined 50 Million Euros for Violations of EUâs New GDPR
The Commission nationale de l’informatique et des libertĂŠs (CNIL), Franceâs nation data protection authority, has just levied a 50 million euro fine on Google for violations of the EUâs General Data Protection Regulation. The GDPR was implemented in May of last year and, widely considered the strictest data regulations in effect, notably gives much of the control back to the consumer, including opt-in consent for the use of private information. Google is appealing the decision.
The CNIL found Google in violation of two aspects of the GDPR:
First, Google failed to make properly transparent information regarding the use of consumer data. According to the report, âessential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information.â
Second, Google failed to gain valid consent to process data for ad personalization. The key word here is valid. Google does in fact obtain consent from users, but the CNIL found this consent was not sufficiently informed. âThe information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent.â Moreover, the consent obtained was not considered to be âspecific or unambiguousâ. Google allows users to access ad configuration, however, âthe user not only has to click on the button âMore optionsâ to access the configuration, but the display of the ads personalization is moreover pre-ticked.â The consent is therefore not obtained with the âclear affirmative action from the userâ required for the consent to be considered valid.
While Google is not the first company to be fined for violating the GDPR, it is the largest fine received under the new regulations by far. However, the damage could have been a lot worse for Google. Organizations can be fined up to 4% of their annual global revenue, and with 33.7 billion in revenue last quarter alone, Google might consider themselves lucky.
Googleâs Appeal May Help Clarify the Scope of the CNILâs Ruling
In a statement to Politico, however, Google confirmed they will be appealing the CNILâs decision: âWeâve worked hard to create a GDPR consent process for personalized ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing. Weâre also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond. For all these reasons, we’ve now decided to appeal.â
Googleâs claim that their consent process is based on regulatory guidance and user experience testing may point to their argument: Â that they followed in good faith regulator guidance (either specific and targeted guidance or public guidance) and the user testing; the regulators may say the consent is not informed and Google might try to refute that via an analysis of its user testing.
Google is also appealing to the concerns from companies in other industries on how the GDPR may affect them. Echoing these concerns, CCO of the Financial Times, Jon Slade, told Digiday âthe interpretation of GDPR has been inconsistent at best, and in some cases has willfully chosen to ignore both the letter and the spirit of the regulation. The industry now canât say it hasnât been warned.â While Google is likely overstating their concern for other industries, the appeal process may at the very least lead to clarify the definition and scope of certain aspects of the GDPR. Â
The CNILâs decision is therefore an essential reminder for any business that transparency and consent is increasingly becoming the name of the game. As the example of Google makes clear, simply having information available to consumers is not enough, that information needs to âintelligible and easily accessible.â While in the United States there are no federal data protections laws with the same scope of the GDPR, states such as California are beginning to pass regulations similar to those in the EU. Companies not currently affected by such regulations therefore still prioritize data processing and put in a place a plan that would allow quick and easy compliance with any new regulations that may be implemented. Or, as Jon Slade puts it, âanyone handling data would be crazy not to look at this strong enforcement of GDPR and double-check themselves.â