Google GDPR fine signals a new chapter in data protection
Since the General Data Protection Regulation (GDPR) came into force in May 2018, we have been in somewhat of a holding zone. The European Union (EU) was never going to issue a major fine in the first few months, preferring instead to give organisations the chance to fully ready themselves for GDPR and to err on the side of leniency.
But news this month (January 2019) that Google is to be fined 50 million euros by the French data regulator CNIL, for a breach of the EU’s data protection rules, signals that the holding pattern is over and the EU is ready to get tough with organisations found to be non-compliant with GDPR.
What are the consequences of Google’s GDPR penalty and what can be done if an organisation is still not GDPR-ready?
The first major fine
Google is not only the first organisation to be hit with such a major fine for GDPR non-compliance but the fine also has opened a new chapter in data protection – one of significant penalties and serious enforcement.
With GDPR granting all EU data protection authorities new powers, France’s National Commission on Informatics and Liberty (CNIL) has hit one of the biggest firms in the world, an internet giant whose very business model is built on the use of consumer data to sell ads, meaning that no company is safe from GDPR fines.
Although Google’s European HQ is in Ireland, it is significant that it was CNIL and not Ireland’s Data Protection Commission that took the lead on the investigation and subsequent fining of Google. While most EU member states have broadly similar data privacy laws there are some nuances that have become apparent in this case.
A lack of transparency and consent?
The CNIL issued a statement that went into more detail as to why Google was being fined, and cited a ‘lack of transparency, inadequate information and lack of valid consent regarding the ads personalization’.
According to GDPR, users need to approve each and every specific use of their data, and CNIL is alleging that Google is not enabling this, and is instead using pre-ticked boxes to gather approval. To become fully compliant, CNIL has suggested that Google begins to seek consent to process data for each service it provides. Each step would provide a new chance for consumers to opt out of sharing data.
This could have huge implications, not just for Google but for any organisation that is based on the collecting and sharing of data to drive revenue. A Google spokesperson has said in response to CNIL that it was ‘studying the decision to determine our next steps’.
Addressing GDPR as a priority
With the prospect of more fines under this new chapter of data privacy in the EU, it would appear essential for organisations to turn an extreme focus on ensuring all of their data meets GDPR requirements. This should include addressing consent-gathering practices to ensure that users can tick OK for every last purpose for which their data is to be used.
The smartest option for any organisation would be to work with a partner such as OXIAL. We have extensive experience in managing governance, compliance and risk for organisations located all over the world and have even launched our own comprehensive GDPR solution, the OXIAL GDPR EXPRESS.
The GDPR EXPRESS uses an automated digital compliance approach to offer 100% GDPR compliance and crucially can be live and operational in less than 90 days.
If that sounds like something that could be of interest to you, and you want to avoid the type of financial penalty faced by Google please drop us a line if you’d like to learn more.