Eight months after the European Union’s General Data Protection Regulations (“GDPR”) came into force, the French regulator (“CNIL”) issued Google a EUR 50 million fine, the highest fine issued so far under the GDPR.
CNIL argued that Google failed to comply with the transparency obligation set in the GDPR, as the information provided by Google to the data subjects was not easily accessible (e.g. it was scattered across several documents) nor clear or comprehensive.
In addition, CNIL stated that the consent of the data subjects for the purpose of certain data processing activities was not validly obtained. First, the data subjects were not sufficiently informed by Google as to what they were consenting to for instance, the scope of the services to which the consent was granted was not clear). Second, the consent was not specific to each purpose of data processing. Finally, CNIL referred to the fact that Google set as a default the option of consenting to processing data for certain purposes by “ticking” the checkbox in advance, in clear contravention of the GDPR.
While the fine sounds substantial, the GDPR provides for fines of up to EUR 20 million or 4% of the annual global turnover. Therefore, this fine is not as severe as it could have been considering Google’s revenue, which stood at almost USD 34 billion in the third quarter of 2018 alone.
There is no doubt that massive corporations like Google are convenient targets for GDPR enforcement activities, as collecting fines from them is relatively simple and sanctioning them deters smaller companies from infringing the GDPR.
However, it should be emphasized that companies that process personal data – those in the ad-tech industry specifically – must be well-prepared and comply with the GDPR in all aspects of their activity in order to avoid such fines.