Google has been fined €50 million by French data regulator National Data Protection Commission (CNIL) for breaching GDPR due to its "lack of transparency, inadequate information and lack of valid consent regarding advertising personalisation." It's well below the potential four percent of global turnover, but substantial none the less.
CNIL investigated complaints from the associations None Of Your Business ("NOYB") and La Quadrature du Net ("LQDN") (which was mandated by 10 000 people to refer the matter) who claimed Google did not have a valid legal basis to process the personal data of the users of its services, particularly for advertising personalisation. CNIL concluded that users were indeed "not sufficiently informed" about how Google collected data to personalise advertising.
Javvad Malik, security advocate at AlienVault noted in an email to SC Media UK that: "This could be one of the first high profile tests of GDPR and how it pans out in the real world."
Matt Walmsley, EMEA director at Vectra adds: " I’d expect Google to challenge the ruling, and we may see the conclusion produce an important test in law that will bring clarity around GDPR implementation for others."
However, across the Atlantic, some commentators had an entirely different take on the development with Daniel Castro, director of the Center for Data Innovation issuing a statement saying, "Today’s announcement underscores why the GDPR is fundamentally not a viable model for regulating the digital economy," apparently incensed that Google, acting in good faith, had been fined, rather than someone deliberately acting fast and loose with people's data (more detail below).
While the case may add some clarity to GDPR implementation, it actually centred on the lack of clarity or transparency that Google gave to its users.
Malik adds: "Companies need to be transparent and clear with its users as to what data it is capturing and for what purposes. In this case, CNIL has decided that Google was neither transparent, nor clear with users - resulting in users making misinformed choices.
"Customer data of all sorts, whether that be PII, or even metadata should be considered carefully by companies. Before storing or processing information about customers, companies should ask themselves two questions. First, what purpose the data is being used for and for how long, and secondly, have the users truly given informed consent - if the answer to either is unclear, then they should not go ahead with it."
And its not as though they weren’t warned. As Fouad Khalil, vice president of compliance at SecurityScorecard points out in an email to SC Media UK: "Given the fact that it was the French privacy watchdog (CNIL) that issued the fine [under GDPR] is no surprise. CNIL is the only regulator that issued any kind of GDPR compliance guidance in an effort to shed light on compliance requirements. Even though Google’s European headquarters is based in Ireland, that did not stop GDPR watchdogs from transitioning the enforcement to France where it is considered to be more effective.
"The regulator indicated that Google provided inadequate information to its consumers as well as had invalid consent for personal data use. This confirms how critical an accurate and up-to-date personal data inventory is. Organisations must ensure all data is properly identified, classified, processed, transmitted, consented for use and much more. Furthermore, point-in-time compliance does not cut it as continuous assurance (monitoring and auditing) is a must to ensure ongoing compliance.
"In today’s world, managing privacy has become the norm as regulators, auditors and privacy rights groups are keeping a watchful eye. Slapping Google with such a large fine is only possible due to confirmed violations most surely reported by consumers and privacy rights groups. I suspect this will be the first of many to follow in 2019 as GDPR compliance is now in the enforcement phase."
Regarding the extent of the fine, Alex Hollis, GRC practice director at SureCloud, an organisation that had predicted either the CNIL or BfDI (French and German information commissioners respectively) would be one of the first of the landmark cases, emailed SC to note: "The scale of the fine for Google is not the four percent which is allowed under the regulation, which must go some way to acknowledging the steps and controls that Google has taken. It should certainly serve as a caution to those who don’t have the legal protection that Google has."
Castro expanded upon his contrarian view: "The GDPR requires companies to follow a complex and ambiguous set of rules, and it imposes substantial fines on businesses that step across these invisible lines. Some of these demands are even contradictory, such as requiring companies to be both comprehensive and concise when detailing how they use consumer data. These rules have introduced confusion and uncertainty into the digital economy while offering relatively few benefits to consumers.
"The fine announced today sets a dangerous precedent. Penalties that target good-faith efforts to comply with the law, rather than those who deliberately or negligently misuse data, undermine the goals of the GDPR. They force companies to focus on check-the-box compliance, rather than making meaningful changes that will bring greater control of personal information to consumers or encourage greater investments in innovation.
"Notably, CNIL did not identify any specific instances of consumer harm or malicious intent, yet it still imposed a substantial fine rather than merely seeking corrective behaviour. Neither did it outline specific steps that the company could take to achieve compliance. This lack of clarity, which ironically is the chief complaint from regulators about the private sector, will not help companies achieve compliance. While there are many talented lawyers and engineers working in the tech industry, they aren’t mind readers.
"As the United States and other countries consider pursuing new data protection laws, the failures of the GDPR should serve as a roadmap for some of the worst pitfalls to avoid."
Google said it was "studying the decision" to determine its next steps.