Background to GDPR
Everyone who owns a website that operates in the EU should by this stage be well aware of The General Data Protection Regulation (GDPR) which became law throughout the EU at the end of March last year.
If you are not familiar with GDPR, it is a regulation in EU law on Data Protection. Essentially it gives individuals in the EU control over their personal data and is intended to prevent the processing or use of private information without prior consent from the person. Also, GDPR applies to all EU citizens and to any companies processing information about EU citizens irrespective of whether the companies are resident in the EU or not.
The motivation for taking this seriously was the threat of a fine of up to €20 million or up to 4% of the annual worldwide turnover in the preceding financial year for anyone violating the GDPR regulations.
The Sceptics
Despite the threat of large fines, not everyone bought in to GDPR some skeptics that felt that GDPR was just another nuisance factor and a typically EU ‘over the top’ legislation.
While data processing companies, marketing companies and a host of other companies may have felt that GDPR is too restrictive and potentially a major loss of revenue, it is important to keep in mind that GDPR is intended to protect the data and information pertaining to individuals and to prevent large organisations from exploiting this information.
The Largest Fine to date
On Monday 21 January 2019, the French data-privacy authority CNIL fined Google €50 Million for alleged infringement of the GDPR. Even though Google is a US company, it is required to comply with the EU regulations for any data it takes from citizens in the EU. While there have been other fines handed down since the implementation of the GDPR, this is the first fine imposed on a US company and is by far the largest fine to date.
Google and GDPR
Early 2018 was a time of continual (almost spammy) messages from various companies asking us to approve their capture and use of our data on their platforms or advising us about their compliance to GDPR. Google which is without doubt the biggest service provider in the world was no exception to this and they implemented systems that allowed users to have better control of their data and visibility of where the data would be used… and of course to comply with the regulations.
If any company was going to be fined, it was most likely to be Google
The almost daily email messages from Google regarding GDPR were not surprising considering the huge user base that Google manages through the services that they offer and the fact that that data, information and knowledge are key to the way that Google works. This made GDPR something that had to be taken very seriously because if any company was at highest risk of non-compliance, even with the best will in the word, that company would be Google.
Alleged Infringements
The €50 million fine issued against Google is related to Personalised Advertisements.
The French National Data Protection Commission (CNIL) started an investigation on Google in June 2018 after it received complaints from the associations None Of Your Business (NOYB) and La Quadrature du Net (LQDN). These complaints were lodged on the day that the law went into effect. The on-line investigation included an on-line inspection of documentation and user actions was carried out and this led to the claim that there were 2 violations namely:
- A violation of the obligations of transparency and information
- A violation of the obligation to have a legal basis for ads personalization processing
Essentially, the first claim is essentially that there are too many steps involved in getting to personal data, it is not clear to the user what is the purpose of the data processing and the retention time is not provided for some data. The second claim essentially states that the consent signed by the user is not specific is not unambiguous (double negative intended). The GDPR requires that consent is given for each usage of data and this usage needs to be unambiguous.
We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law. Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough. We are also pleased that our work to protect fundamental rights is bearing fruit. Max Schrems Chairman NYOB
Publicity and Severity
The publicity created by the €50 million fine are considered to be appropriate (by CNIL) due to the severity of the infringement. The fine is a major test of the Privacy Laws and is a statement that authorities are not afraid to impose fines on companies that violate the GDPR Regulations.
Google captures a huge amount of data about individuals from the services that it offers and this data can be used in an enormous number of different combinations reveal important private information about the individual. CNIL notes that despite the measures that Google has implemented to offer more control to users over their data, Google still fails to provide the guarantees over how this data will be used and what it may reveal.
A Google spokes person has responded to the fine and said that Google is “deeply committed” to meeting the “high standards of transparency and control” that people expect of it. The spokes person also said that the company was studying the decision in order to determine its next steps.