Google hit with record $80m GDPR fine

France’s data privacy authority CNIL has fined Google a €50 million ($79.6 million) for alleged ongoing violations of the EU’s General Data Protection Regulation.

The fine — the highest handed out under the GDPR scheme to date — is the culmination of an investigation into the company’s handling of personal data for the purposes of ad personalisation.

According to the findings of the investigation, Google remains in violation of the GDPR by failing to meet its obligations for transparency and obtaining affirmative consent for the collection and use of personal data.

For example, Google was found to spread essential information on its processes and practices for collecting and managing personal data across multiple online documents. CNIL noted that it sometimes takes up to five or six actions to access the relevant information on a given topic, such as information on the data that is being collected.

Google’s stated purposes for processing personal data, as well as the categories of data collected, were also found to have been described in too generic and vague a manner.

In a development that could perhaps have even more significant consequences for Google — as well as other companies whose business model relies on the use of personal information — the CNIL also found that Google was not validly obtaining consent to process data for ad personalisation purposes.

The CNIL held that Google was failing to meet the requirements under the GDPR to obtain unambiguous consent for the collection of personal information.

For example, Google’s practice of having users opt in by default for having their information collected for ad personalisation purposes was found to fall afoul of this requirement.

CNIL’s report states that the size of the fine is “justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent”, as well as the vast potential for harm that could result from the misuse of data that can reveal such an important part of a user’s private life.

As well as the potential impact of the decision on the digital services sector, the CNIL’s decision sends a strong signal that the era of GDPR compliance has well and truly arrived, according to Proofpoint Cyber Security SVP Ryan Kalember.

“Many organisations are still unsure whether their GDPR compliance strategy is 100% fit for purpose, but this incident signals that long gone are the days where privacy can be relegated to an IT or compliance effort: the magnitude of this fine clearly shows this is a business issue,” he said.

“By becoming the highest fined company since GDPR came into force, Google is now the black and white case study of ‘what could happen’ in the event of non-compliance. In a privacy-first world, companies must build a people-centric compliance strategy, which can only start by getting visibility into highly regulated data, the systems that process that data and identifying who within your business has access to that data.”

Image credit: ©BillionPhotos.com/Dollar Photo Club

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.