Google’s £44 million GDPR fine

Google has been fined a massive 50 million euros (£44m) for a breach of GDPR dating back to May 2018 relating to how well people were informed about how Google collected data to personalise advertising and the matter of consent.

Who?

Google (Alphabet Inc) has been fined £44 million by the French data regulator CNIL.  The two complaints that brought about the investigation and the fine were filed in 2018 by privacy rights groups noyb and La Quadrature du Net (LQDN).

Even though the fine is eye-wateringly large, the maximum fine for large companies like Google under GDPR could have been 4% of annual turnover, which could equate to around €4bn.

Ad personalisation and Google

Google personalises the adverts that are displayed when a person is signed in to their Google account based on ad-personalisation settings. When a person is signed out of their Google account, they are still subject to ad-personalisation across the web on Google’s partner websites and apps based on their browsing history and on Google Search based on their previous searches.

What and why?

The two privacy groups complained that Google didn’t have a valid legal basis to process user data for ad-personalisation because of issues relating to transparency and consent.

The reasons for Google receiving the fine were:

1. Google failed to provide its users with transparent and understandable information on its data use policies.  This was because the “essential information” users would have needed to understand how Google collected data to personalise advertising, and the extent of that information, was too difficult to find because it was spread across several documents.  This meant it was only fully accessible after several steps e.g. up to five or six actions. Ultimately, this meant users were unable to exercise their right to opt out of data-processing for personalisation of ads.
2. It was also found that the option to personalise ads was “pre-ticked” when creating an account.  This meant users were essentially giving consent in full for all the processing operations purposes carried out by Google based on this consent.  Under GDPR however, consent should be ‘specific’ only if it is given distinctly for each purpose.

Other complaints

Privacy group noyb has also filed more formal complaints against Amazon, Apple, Google, Netflix, Spotify, and other entertainment streaming services. The reason, according to noyb, is when people request a copy of the personal data these companies hold on them, some of it may not be supplied in a format that can be easily understood.  GDPR requires companies to supply users with a copy of their data that is both machine-readable and can be easily understood.

What does this mean for your business?

Even before GDPR was introduced, many technology and security commentators predicted the big names e.g. Google and Facebook would be the first to be targeted by privacy campaigners, and that appears to be what is happening here. In this case, however, the fact that the complaints have created a record-breaking fine shows there was genuine concern about a lack of compliance with GDPR from a company that many would have expected to be on top of the legislation and setting an example. It is likely Google will need to make some significant modifications to some aspects of its services now and this may prompt other large tech companies to do the same in order to avoid similar fines and bad publicity.

This case is a reminder to businesses, particularly larger ones, that although GDPR appears to have been buried by concerns about Brexit, the need to stay compliant with GDPR is an ongoing process and should still be high on businesses’ agenda.