Google has been fined €50 million (about £44 million) by the CNIL, France’s data protection regulator, for a breach of the EU GDPR (General Data Protection Regulation).
It’s by far the biggest fine related to the GDPR, which took effect in May 2018 and gave regulatory bodies much stronger disciplinary powers.
What did Google do wrong?
The CNIL concluded that Google had violated the GDPR in two ways. First, it failed to meet transparency requirements, and second, it failed to obtain a legal basis for processing.
These breaches fall within the Regulation’s upper tier for penalties, meaning the CNIL had the power to levy a fine of up to 4% of Google’s annual global turnover, which would have equated to more than £3 billion.
So, to some extent, you could suggest that Google got off relatively lightly. However, as with many organisations, the financial cost will pale in significance to the reputational cost.
In a statement, the CNIL was heavily critical of Google’s data processing policies, calling them “massive and intrusive”.
It added that the information Google does provide “is not easily accessible for users”, as it is “excessively disseminated across several documents” and requires as many as five or six actions to access.
The CNIL also suggested that users “are not fully able to understand” the extent of Google’s data processing, partly because “the purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes.”
Other GDPR fines
- The Austrian DPA imposed the first-known fine under the GDPR of EUR 4,800 for illegal video surveillance activities.
- The Portuguese authority (CNPD) imposed a fine of EUR 400,000 on a hospital after a staff member illicitly accessed patient data
- In France, the first fines were also issued under the GDPR: an employer who used a biometric system to monitor employees’ working time and failed to inform them got a fine of EUR 30,000.
- The most recent case was one of the regional German DPAs, which issued a fine of EUR 20,000 to a social media company which violated its data security obligations. In this case, the German regulator explained the relatively low fine by referring to the company’s exemplary cooperation with the authority after it discovered the hack and the huge investments the company made in strengthening its information security measures.