Massive Fine Imposed On Google For GDPR Breaches
Yesterday, it was reported that Google has been fined €50M by the French data protection authority for breaches of the GDPR. It’s the first time that a fine of this magnitude has been imposed since the GDPR became effective last May.
The higher tier of fine under the GDPR permits data protection authorities to levy penalties of up to of 4% of annual worldwide turnover or €20M, whichever is the greater. The Google decision leaves no room for doubt that data protection authorities are more than prepared to flex their muscles and follow the “whichever is greater” option where they feel this is warranted.
The complaint which led to the fine concerned Google’s use of the personal data of users of its many different services to create personalised ads. The French data protection authority found that, in doing so, Google had breached fundamental principles of the GDPR, namely:
- The need for transparency;
- The enhanced information requirements; and
- The requirement for consent to be specific and unambiguous.
Whilst the specific facts of the case may not be relevant to all organisations, the decision is a timely reminder of the importance of complying with the data protection principles (and the consequences that can result from a failure to do so).
SOME IMPORTANT REMINDERS
Particular GDPR requirements emphasised by the Google decision which all organisations should ensure they are complying with are:
- The need to provide clear and comprehensive privacy information to data subjects before undertaking any processing of personal data. In particular, data subjects should not be required to peruse lots of different documents/take numerous actions before they can obtain a clear picture of what personal data is being collected and what it is going to be used for.
- Privacy notices should clearly set out the legal bases that are being relied upon in relation to different types of processing activity.
- Organisations should not use their privacy notices as a means of obtaining blanket consent to processing. Such consent will not be valid. This is since the GDPR requires that consent is specific (which means that data subjects should be given the chance to consent to some types of processing but not others).
- Where organisations use consent as the lawful basis for a processing activity, such consent must be unambiguous. This means that there must be a clear affirmative action on the part of the data subject indicating consent. Pre-ticked boxes should not be used.
If you’d like any further information about the Google ruling or how you can ensure your organisation doesn’t make the same mistakes, please do not hesitate to contact a member of our Information Law Team.