Lessons from the Google GDPR Fine

person holding white ipad

Photo by Pixabay on Pexels.com

On 21st January 2019, theFrench National Data Protection Commission (CNIL) fined Google 50 million euros for breaches of the General Data Protection Regulation (GDPR). This is the biggest financial penalty issued so far by any European regulator under the new law. But the decision goes far beyond Google or even the tech sector.

In May 2018 CNIL received complaints from two privacy groups;  None Of Your Business and La Quadrature du Net. They argued, amongst other things, that Google did not have a valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purposes, as they were in effect forcing users to consent.

CNIL agreed citing a “lack of transparency, inadequate information and lack of valid consent” regarding ad personalisation for users. It said users were “not sufficiently informed” about what they were agreeing to. Google made it too difficult for users to find essential information, “such as the data-processing purposes, the data storage periods or the categories of personal data used for the ads personalisation”, by splitting them across multiple documents, help pages and settings screens. That lack of clarity meant that users were effectively unable to exercise their right to opt out of data-processing for personalisation of ads.

GDPR (Article 4) standard consent must be, amongst other things, “specific” and “unambiguous”. Google consent failed as users were not asked specifically to opt in to ad targeting but were asked simply to agree to Google’s terms and privacy policy bundled together.

Google is appealing the decision. Meanwhile the Swedish data protection the Swedish Data Protection Authority (Datainspektionen) has also announced an investigation Google’s slurping of location and web histories.

This decision requires all Data Controllers to think carefully how they go about obtaining consent for personal data processing. Article 7 and 8 of GDPR must be considered as well as the Article 29 Working Party guidance.

Article 13 and 14 set out what information should be given to data subjects when processing their personal data. This is a stand-alone right but it also helps to ensure that the processing is fair and transparent as per Article 5(1)(a). Our blog on what to include in a privacy notice (including examples) will help those revising their notices in the light of this decision.

BREXIT UPDATE: Draft regulations have been laid before Parliament to amend GDPR and the Data Protection Act 2018 will change as a result of Brexit. If you want to know more, Ibrahim Hasan is presenting a webinar on 12th and 21st February 2019 at 10am.

Make 2019 the year you achieve a GDPR qualification. Our GDPR Practitioner Certificate courses are filling up fast.

About actnowtraining

Act Now Training Ltd specialise in information law. We have been providing training and consultancy services globally for over 16 years. We have an extensive GDPR and FOI course programme from live and recorded webinars, accredited foundation through to higher level certificate courses delivered throughout the country or at your premises. We pride ourselves on having well renowned experts in the fields of Data Protection, Freedom of Information, Surveillance Law and Information Management. All our experts have worked within the public and private sectors and have many years of experience of training and consulting in these areas. Our clients include central government, local authorities, multi-national corporations as well as other public and third sector bodies including schools. Please visit our website to see the range and testimonials of our satisfied clients.
This entry was posted in GDPR, ICO and tagged , , . Bookmark the permalink.

1 Response to Lessons from the Google GDPR Fine

  1. Pingback: GDPR: One Year on | Blog Now

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s