When the European Union’s (EU's) General Data Protection Regulation (GDPR, discussed in a December 2017 client alert) took effect May 25, 2018, the French data protection regulator, Commission nationale de l'informatique et des libertés (CNIL), which translates to National Information Rights Commission, began investigating Google’s data privacy practices. Now, the CNIL has imposed on Google a €50 million fine (about $57 million), the largest to date under the GDPR, for lack of transparency, inadequate information, and lack of valid consent regarding its personalized ads. Below is a summary of the enforcement action and what it means going forward.
One focus of the GDPR is transparency: it requires that companies clearly explain how data are collected and used. Under the GDPR, companies must also have a lawful basis for processing data, such as user consent. CNIL said that Google’s consent mechanisms were too broad and did not adequately clarify to what users were consenting. Instead, users were largely unaware of what data they agreed to share or how Google used the data. For example, Google’s default setting is to display personalized ads to users. Although this setting could be changed, it lacks clear affirmative consent from a user. Further, Google would not allow users to create an account until they had agreed to its terms and conditions in full.
Although the fine against Google is significant, it is far lower than the maximum penalty allowed under the GDPR, which is 4% of annual worldwide turnover. For Google, that would amount to more than $4 billion. However, being fined under the GDPR can bring other financial repercussions as a result of damage to a company's reputation. Consumers might be startled to learn that a company misappropriates their data, and they might cease using that company’s services.
Few fines have been levied under the GDPR since it took effect, but CNIL’s fine against Google signifies EU member states’ seriousness about enforcing the regulation. GDPR enforcement actions that have not resulted in fines have imposed requirements on companies to become GDPR-compliant or cease non-compliant activity, which also brings other significant costs.