This is BIG news.
Google has been issued with a record fine of £44 million (50 million euros) by CNIL, the French data regulator (the equivalent of the UK’s Information Commissioners Office).
The fine relates to a breach of EU’s data protection rules, with CNIL citing there had been a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”.
The French regulator came down heavily on Google after judging that people had been been “insufficiently informed” about how the organisation was collecting user data to personalise advertising. This came after complaints were filed with the regulator by two privacy rights groups: None Of Your Business (Noyb) and La Quadrature du Net (LQDN), the day that GDPR came into effect.
At the time of writing, we’re yet to know much more about this breaking story other than Google have responded to say that it is currently “studying the decision”, before deciding on next steps – so hang tight.
Interestingly, Google have already commented that “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR”
Lack of transparency
The French regulator stated that Google had failed to obtain clear consent in relation to the processing of personal data and that, perhaps unsurprisingly, “Users are not able to fully understand the extent of the processing operations carried out by Google.”
Lack of consent
As if a lack of transparency was bad enough, CNIL also found that Google had failed by having no legal basis to process the user data in the first place. Seemingly, Google had intended to reply up consent as their legal basis, however, the regulator found that “pre-ticked” options upon creating an account did not respect GDPR rules and more attention should have been given to the fact that consent is “specific only if it is given distinctly for each purpose”.
In what looks set to be a watershed (literally, tears shed) moment for GDPR, the French regulator stated it was Google’s “utmost responsibility to comply with the obligations on the matter”.
A viewpoint which we can be sure will be imposed upon all organisations undergoing the scrutiny on a regulator in coming months.
What’s for certain, is that we can expect similar cases to follow suit.