With the anniversary of the General Data Protection Regulation (GDPR) coming into force just months away, Google has been fined a record sum for major data breaches; and separate complaints have been made against Google and other high-profile tech giants around non-compliance with the rules.
Record fine for Google First, Google has just been fined a record €55m (£44m) by French supervising authority, CNIL, after being found to have breached GDPR rules by failing to have a lawful basis for processing its customers’ date in relation to personalised adverts. Two group complaints were filed by privacy groups against Google very shortly after the GDPR come into force.
CNIL, the French equivalent of our Information Commissioners Office, investigated the complaints, carrying out online inspections in September 2018 to verify the legality of Google’s implementation of the processing operations. It found that the company had violated the obligations under the GDPR of transparency and information; and the obligation to have a legal basis for ads personalization processing. Users were not told enough about how the company collected data for personalised advertising. CNIL also found that users were unable to fully understand the extent of Google’s processing operations.
Furthermore, there was a pre-ticked option for customers to personalise ads when they created an account – under GDPR the consent must be ‘unambiguous’ with a clear affirmative action from the user, i.e. by ticking a non-pre-ticked box. Google’s pre-ticked box aimed to receive umbrella style consent for all Google’s processing operations purposes, including ads personalization and speech recognition. This was also in breach of the rules because the GDPR requiring that consent is “specific” i.e. given distinctly for each purpose.
As for the level of the fine imposed, CNIL justified this on the basis of the severity of the infringement, and the fact that the violations are continuous breaches of the GDPR (as at 21 January 2019). They were not one-off breaches.
More complaints filed Meanwhile, eight tech firms – including Google – are the subject of a complaint, filed with Austria’s data protection regulator, by NOYB1 on behalf of users who stream music, films and other entertainment. Other firms named in the complaint include Amazon, Apple, Netflix and Spotify. The complaints allege non-compliance with the user’s right to access their data and various “structural violations” of the law.
The GDPR gives individual users the right to request a copy of their personal data from these companies, in an easy to understand and machine-readable format which enables customers flexibility, for instance, to transfer their data to competitor. However, users’ complaints include receiving unintelligible data, data that was not understandable by all, failure to supply (or late supply of) information requested and, in some cases, failure even to reply to requests for information.
We will be watching to see how the data regulator in Austria responds to the complaints and whether further significant fines (of up to €20m or 4% of a company’s global turnover under the GDPR) will be imposed.
What does this mean? The fine imposed on Google sends a clear message to businesses that the regulators will not hesitate to enforce the rules to protect consumers and the use of their data. These developments show how seriously the regulators take GDPR compliance, the responsibility businesses have in complying with their GDPR obligations and what happens if they do not.
The important takeaway is that this is a timely reminder to review your GDPR compliance procedures and ensure you are not falling foul of the rules.