After months of conjecture about GDPR implementation, French regulators handed Google a EUR 50 million fine for failing to properly obtain valid user consent to gather data used for targeted advertising. The first substantial GDPR fine raises many questions for businesses, big and small. Let’s consider some of the implications.
France’s National Data Protection Commission (CNIL) identified Google’s handling of personal data as follows:
- Google violated rules requiring information about data collection to be transparent. Full information on data-processing purposes and data-storage times were not all presented in the same place. CNIL appears to have weighed heavily the fact that Google contains vast amounts of data about individuals, stating: “the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations.”
- Boxes giving consent to certain data-processing practices were pre-checked- a direct violation of the GDPR.
These failings led CNIL to conclude that Google had miscarried processes to obtain appropriate consent from users for serving personalized ads. The investigation into Google’s privacy practices started on May 25th, 2018, the day the GDPR entered into force after two groups of privacy activists filed complaints against Google. In response to the fine, Google is studying the verdict to determine the next steps.
Google confirmed that the fine will be appealed.
Implications of the GDPR Fine
The EUR 50 million fine only represents roughly 0.05% of Google’s USD 110.8 billion revenue. This is a far cry from the maximum fine of 4% global revenue that could have been imposed. While still a relatively small percentage, the fine is by far the biggest amount imposed by any national regulator since the entry into force of the new law. Moreover, it represents the opening for a possible wave of enforcement actions and pursuit by regulators to other tech companies for similar practices.
The action also makes it clear that practices that were once considered “good enough” prior to the introduction of the GDPR are no longer legal. In order for big data to be legal under the GDPR, companies need to ensure the following factors:
(a) the secondary processing must be compatible with the original purpose for which the data was collected,
(b) use only the minimum amount of data necessary for the purpose for which it is processed; ( known as data minimisation )
(c) satisfying the balance of interest test.
This GDPR enforcement action against Google makes it clear that companies need to be explicit towards users about how and for which purposes their data is being processed. Anticipate scrutiny towards big data practices to increase.
Despite the fact that Google allows users to modify their privacy settings when they create an account, CNIL faulted the company for serving users personalized ads as the default setting. The move suggests a strict attitude towards consent.
The interesting question is how other DPA’s will react to this decision and the pressure on Google to change its practices. While the fine levied may be nothing more than a drop in the ocean for Google, the potential changes the technology giant will be forced to make to its data-processing practices in the European Union could fundamentally call into question all similar business models.