Using its extra powers for the first time under the General Data Protection Regulation (GDPR), the French data protection regulator the CNIL has fined Google 50 million euros. The watchdog says that’s justified by the severity of the infringements against the essential principles of the GDPR: transparency, information and consent.
The CNIL disagreed with Google’s argument that it obtains the user’s consent to process data for ads personalisation purposes. The regulator found that users are not able to fully understand the extent of the processing operations carried out by the tech firm. But the processing operations are particularly massive and intrusive because of the number of services offered (about 20). The CNIL carried out online inspections in September. The aim; to verify the compliance of the processing operations by Google with the French Data Protection Act and the GDPR by analysing the browsing pattern of a user and the documents he or she can have access, when creating a Google account during the configuration of a mobile device using the Android operating system.
For the CNIL (Commission Nationale de l’Informatique et des Libertés) findings visit CNIL.fr.
For more on the GDPR visit the website of the UK watchdog the ICO (Information Commissioner’s Office). Since the GDPR came into effect across the European Union and was made national law in each EU country, the watchdogs can now fine offenders up to 20m euros or 4pc of annual turnover; previously the UK maximum was £500,000. Under the pre-GDPR rules a court fined Cambridge Analytica £15,000 for ignoring an enforcement notice issued by the ICO.
Comments
Matt Lock, Director of sales engineering at Varonis says: “The news should be hitting companies like a cold shower. It’s not a stretch to say that a proverbial storm is gathering as privacy groups rally to their cause and seek to uphold major global companies as examples of lax privacy controls.”
Dr Guy Bunker, SVP of Products, Clearswift, says: “The key thing to take from this news is that this is a substantial fine in the name of GDPR. It’s nowhere near the maximum available fine, but it is enough to make organisations sit up and take note. It also shows that no organisation is above the law and the regulators will go after big names.
“For businesses now fearing the risk of substantial fines to their own organisations, the key to compliance centres on three aspects. People, processes and technology are vital areas that organisation’s need to review to gain visibility and control of critical data to comply with the GDPR. The board should be working together with middle management on their organisation’s GDPR compliance to maintain a clear understanding of the state of their organisation’s data security status.”
Ryan Kalember, SVP, Cybersecurity Strategy at the cyber protection product firm Proofpoint said: “This GDPR fine brings to light some vital lessons for other businesses observing this crisis from a distance. By becoming the highest fined company since GDPR came into force, Google is now the black and white case study of ‘what could happen’ in the event of non-compliance. In a privacy-first world, companies must build a people-centric compliance strategy, which can only start by getting visibility into highly regulated data, the systems that process that data and identifying who within your business has access to that data.
“Many organisations are still unsure whether their GDPR compliance strategy is 100 percent fit for purpose, but this incident signals that long gone are the days where privacy can be relegated to an IT or compliance effort: the magnitude of this fine clearly shows this is a business issue. Compliance professionals now have a use case to take to the board to secure any funding and resources they need to become GDPR compliant if their organisation isn’t today.”
