The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Google Fined $57M by Data Protection Watchdog Over GDPR Violations

by Chris Brook on Monday January 21, 2019

Contact Us
Free Demo
Chat

The French data protection authority said Monday that it has fined Google roughly $57M - the biggest penalty yet under the new law - for failing to acknowledge how its users' data is processed.

It remains to be seen whether there will be any ramifications from them but data protection complaints – and now fines - against big tech companies like Amazon and Google are piling up.

France's data protection authority, CNIL, fined Google 50 million Euros – almost 57 million USD, on Monday, alleging the company violated the EU's General Data Protection Regulation (GDPR) particularly with the way it handles ad personalization.

In the eyes of CNIL, also known as the Commission nationale de l'informatique et des libertés, Google doesn't obtain user consent to process data for ad personalization. CNIL says the collected consent Google carries out isn't "specific" or "unambiguous," terms outlined by GDPR. This also makes it difficult for users to understand the "plurality of services" - a la Google, YouTube, Google Maps, Google Photos, etc. - their data will be used, processed, and combined across, CNIL says.

The biggest drawback to this, CNIL says, is that users can't comprehend exactly what Google' is doing with their data. Google doesn't communicate the information clearly enough, nor does it breakdown the fact that the legal basis of processing data is for ads personalization and not for the sheer benefit of the company.

“The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent,” CNIL said Monday.

CNIL asserts that these violations are ongoing, continuous breaches of GDPR and don't demonstrate "a one-off, time-limited infringement."

Some of CNIL's complaints regarding how difficult Google makes it for users to access information on how data is collected have been previously outlined by the European Consumer Organisation (BEUC). The BEUC filed a complaint against Google in November saying Google lacked valid consent and a valid legal basis to collect users' tracking data.

CNIL’s fine is based on previous complaints from two groups, Austria's None Of Your Business (NOYB) and France's citizen advocacy group La Quadrature du Net (“LQDN”).

Google told the press on Monday it was deliberating whether or not it would appeal the fine.

“People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the G.D.P.R. We’re studying the decision to determine our next steps," the company said.

The fine actually comes a few days after NOYB, an Austrian data privacy non-profit, filed complaints with data protection authorities against a handful of companies, Apple, Amazon, Netflix, and Spotify among them, alleging the companies are in violation of Article 15 of GDPR, the regulation's "right to access" rule.

The company, chaired by activist Max Schrems, requested private data held by the companies on users as a test; no service fully complied, NOYB said Friday.

In some instances users got raw data on themselves but little in the way of who and what entities it may have been shared with.

““Many services set up automated systems to respond to access requests, but they often don’t even remotely provide the data that every user has a right to,” Schrems said, “In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of users’ rights, as these systems are built to withhold the relevant information.”

Per Article 15 of GDPR, users have the right to obtain whether data is being processed on him or her, the purpose, where the data is being stored, who the data has been disclosed to, and so on.

Schrems has drawn his share of ire from big tech; he wasted no time last May, shortly after GDPR took effect, filing complaints against Google, Facebook, Instagram, and WhatsApp, on the premise the companies were forcing users to consent to their terms of service.

Tags: Data Protection, Data Privacy

Recommended Resources


  • Understand technologies that enable compliance
  • Common pitfalls and challenges to be aware of
  • How to build a sustainable GDPR compliance program
  • The people, process, and technology impacts of GDPR
  • The top challenges to GDPR compliance
  • How to address them and improve your GDPR position

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.