Google Slapped With 50m Euro GDPR Penalty

Europe’s tough new data protection laws have claimed their first scalp after Google was slapped with a 50 million euro (£44m) fine for breaking EU privacy laws.

The fine, issued by the France’s data protection office (CNIL), found the US search engine guilty “for lack of transparency, inadequate information and lack of valid consent regarding the ads personalisation.”

The hefty fine, the largest GDPR penalty so far to be imposed against an American tech giant, comes after complaints were filed by two advocacy groups May last year.

GDPR fine

Those complaints was filed by France’s Quadrature du Net group, while the other was by ‘None Of Your Business’, created by the Austrian privacy activist Max Schrems who famously took on Facebook with the Irish data protection watchdog.

Their complaints centred around Google not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purpose.

Those complaints triggered a CNIL investigation, despite the fact that Google’s European headquarters are in Ireland, which would have normally meant the investigation was carried out by the Irish data protection watchdog.

But in this case, “the discussions with the other authorities, in particular with the Irish DPA”, but it was felt that when the CNIL initiated proceedings, “the Irish establishment did not have a decision-making power on the processing operations carried out in the context of the operating system Android and the services provided by Google, in relation to the creation of an account during the configuration of a mobile phone.”

The CNIL therefore carried out the investigation and “observed two types of breaches of the GDPR.”

Two breaches

Firstly, it decided that the information about data processing, geo-tracking, storage etc, provided by Google was not easily accessible for users, and needed 5 or 6 actions to access it. The CNIL also felt that some information was not always clear nor comprehensive.

“Users are not able to fully understand the extent of the processing operations carried out by Google,” said the CNIL. “But the processing operations are particularly massive and intrusive because of the number of services offered (about twenty), the amount and the nature of the data processed and combined.”

“Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company,” it added.

“The CNIL restricted committee publicly imposes a financial penalty of 50 Million euros against Google,” it said. “This is the first time that the CNIL applies the new sanction limits provided by the GDPR. The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.”

Google reportedly said it was “studying the decision” to determine its next steps.

But at least one expert said that the fine should act as a wake up call for tech firms.

“The fact that the French regulator, CNIL, is applying a record fine to a high-profile company such as Google shows that GDPR is no longer an afterthought,” said David Emm, principal security researcher at Kaspersky Lab UK.

“While the potential heavy fines under GDPR have been spoken about for some time now, this fine sets a precedent of how the mishandling of data really does have serious consequences,” said Emm. “This is a landmark ruling, and one that will become the benchmark for future fines too. The standard has now been set, and companies the world over need to take notice.”

Facebook, Marriott and British Airways are amongst the organisations that have been hit by major data breaches since the GDPR came into effect.

GDPR enables European regulators to impose fines of up to 4 percent of a company’s global annual turnover for serious violations.

Quiz: Are you a Google expert?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

2 days ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

2 days ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

2 days ago

Foldable Shipments Slow In China Amidst Global Growth Pains

Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…

2 days ago

Google Proposes Remedies After Antitrust Defeat

Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal

2 days ago

Sega Considers Starting Own Game Subscription Service

Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…

2 days ago