Google was fined €50M (over $56M USD) by the French data protection authority (CNIL) on January 21. This is considered the first big fine under the European Union’s General Data Protection Regulation (GDPR) and probably marks the start of EU watchdogs closing in on all those information giants peddling with our private data.
In a statement CNIL mainly mentioned two major GDPR violations when fining the internet search giant:
A violation of the obligations of transparency and information
CNIL points out that although Google mentions the type of data it collects, this information is spread across several documents and links which is incompliant with the GDPR call for easy access to information about personal data that’s being collected and processed and sold to third-party advertisers.
A violation of the obligation to have a legal basis for ads personalization processing
According to the GDPR, obtaining personal information must be done according to sound legal basis. The most obvious is clear and active (opt-in) user consent. The failure to achieve such legal basis was pointed out in two accounts:
Much like the previous section, a lack of transparency makes the user’s agreement to private data collection an uninformed one.
The GDPR mandates that consent to personal data collection be given “Specifically” and “Unambiguously”. CNIL points out that neither criteria were satisfied in the consent process.
Looking at this fine, it seems like civil law finally (even if only partially) caught up with the information data giants who seemed to be above the law.
A perfect example of this was Mark Zuckerberg’s Senate hearing on April 10, 2018, where lawmakers seemed unable to grasp the extent of personal data mining and peddling done by Facebook nor confront Mr. Zuckerberg with focused questions on the subject.
As far as the rest of us are concerned – the Google fine should serve as a warning. Law and regulation, albeit slow, will catch up with companies and individuals infringing on our human rights to privacy. This warning should be taken seriously and as part of a balanced risk management process, the risk of a fine should be mitigated.
Complying with the GDPR will cost a fraction of any fine the EU may impose, and, in the process, the company will see better cybersecurity, greater attention to human rights, and even achieve a competitive edge for championing personal privacy.