Earlier this month, France’s Supervisory Authority (CNIL) fined Google €50 million (around £44 million) for a breach of the EU’s data protection rules.
The case arose from complaints filed by the CNIL very soon after the 25th of May 2018 by two consumer associations against Google for “not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalization purposes“.
The CNIL claimed that Google breached the GDPR when new Android users set up a new phone and during Android’s onboarding process as they made it difficult for consumers to access the data collection policies and failed to obtain specific user consent. In fact, users had to perform 5-6 actions to access information on data processing activities and even then, the information wasn’t always clear.
How was the GDPR fine calculated?
Google were issued the fine of €50 million because of:
- The severity and continuity of the breach (it wasn’t one-off)
- The impact it had on a large number of consumers
- The relevance of ads advertising on Google’s economic model
However, as GDPR fines can be up to €20 million or 4% of the total worldwide turnover, Google could have been hit with a fine of $4.4 billion. For Google, it could have been much worse!
What can we learn from Google’s mistakes?
Whilst the headlines are largely dominated by the international tech companies, it is not just big companies, like Google, that are breaching GDPR rules – research by cloud data firm Talen has revealed that 74% of UK organisations are failing to address requests from individuals seeking to get hold of personal data within the one month time period.
It is clear that the attitude of data protection authorities are changing and the ICO will be seeking to impose greater penalties on businesses who fail to demonstrate compliance. That’s why it is vital that businesses remain vigilant to data protection practices and that those practices are compliant with GDPR.
If you would like any specialist advice about how to demonstrate your compliance or some training for your employees, please get in touch and we’ll be happy to help – 01673 885533.
Sign up to our eBulletin for the latest developments in data protection, information governance and compliance.