Google fined €50 million under GDPR

The French data protection regulator, the Commission Nationale de l’Informatique et des Liberties (CNIL), has levied a fine of €50 million against technology giant Google for breaches of the General Data Protection Regulation (GDPR). It is the largest administrative fine issued to date under the GDPR.

The fine arises from complaints made against Google by two European privacy rights groups. The first of these complaints was filed on 25 May 2018, the day on which the GDPR took effect. The complaints concerned Google’s use of its users’ personal data to personalise advertisements. The privacy groups claimed that Google did not have a valid basis under the GDPR to process its users’ personal data for this purpose.

While Google did obtain consent from users to ad personalisation, the CNIL said that this consent did not meet the standards required by the GDPR for several reasons:

  • The option to personalise ads was “pre-ticked” when creating an account.
  • The consent was not specific to the personalisation of ads but encompassed a number of other processing activities.
  • The information necessary for users to understand ad personalisation was spread over several documents and users had to take five or six steps to access all the information.

What can we learn from the decision?

Google has said it was studying the decision and determining whether to appeal, so it is likely that this matter is far from over. However, there are a few lessons that businesses which are subject to the GDPR can take from it right away.

1. Opt-out consent mechanisms are no longer valid under the GDPR

Opt-out mechanisms, such as pre-ticked check boxes, were sufficient to obtain consent under the old Directive 95/46/EC on Data Protection (Directive), and remain sufficient in most other jurisdictions. However, the GDPR requires that consent be obtained using “opt-in” mechanisms and provides that pre-ticked boxes do not constitute valid consent.

2. You must obtain separate consent for each purpose

The GDPR requires that separate consent be obtained for each proposed purpose for which the personal data will be processed. Individuals should be able to agree to some uses but not others. A common example is to provide one tick-box for consent to receive direct marketing of your own products, and a separate tick-box for consent to receive direct marketing of third-party products.

3. Make it easy for individuals to understand what they are consenting to

The GDPR requires that individuals be provided with sufficient information to allow them to make an informed choice about the proposed processing. This information should be easy for them to find and understand. Users should not have to click multiple hyperlinks and find information buried in lengthy documents. There are various ways of presenting information online which provide users with an overview of key points and allow them to drill down into the finer details.

4. Multi-million euro fines are not as unlikely as we first thought

GDPR penalty provisions allow regulators to issue administrative fines of up to €20 million or 4% of a company’s worldwide annual turnover for the preceding financial year, whichever is higher. While the magnitude of these penalties dominated the headlines when the GDPR was introduced, several European regulators stated publicly that they would use fines sparingly, and generally only against serious or repeat offenders.    

By issuing such a substantial fine so early in the life of the GDPR, the CNIL appears to be taking a different approach, and sending the message that it will not hesitate to take punitive measures to enforce the GDPR. The fine stands in stark contrast to the £500,000 fine imposed by the UK Information Commissioner’s Office against Facebook last October, which was the maximum permitted under the Directive.

Of course, it could be argued that the fine only seems large because it was calibrated to the size of offender - the fine amounts to approximately four hours’ worth of revenue for Google. Fines issued against smaller businesses under the GDPR have been much smaller. Last year, a Portuguese hospital was fined €400,000 for misuse of patient records, a German social media service was fined €20,000 for lack of password security, and an Austrian business was fined €4,800 for unlawful surveillance. At the very least, however, the decision is a wake-up call to businesses that non-compliance with the GDPR could be costly.