Yesterday, it was reported that Google has been fined €50M by the French data protection authority for breaches of the GDPR. It’s the first time that a fine of this magnitude has been imposed since the GDPR became effective last May.

The higher tier of fine under the GDPR permits data protection authorities to levy penalties of up to of 4% of annual worldwide turnover or €20M, whichever is the greater. The Google decision leaves no room for doubt that data protection authorities are more than prepared to flex their muscles and follow the “whichever is greater” option where they feel this is warranted.

The complaint which led to the fine concerned Google’s use of the personal data of users of its many different services to create personalised ads. The French data protection authority found that, in doing so, Google had breached fundamental principles of the GDPR, namely:

  • The need for transparency;

  • The enhanced information requirements; and

  • The requirement for consent to be specific and unambiguous.

Whilst the specific facts of the case may not be relevant to all organisations, the decision is a timely reminder of the importance of complying with the data protection principles (and the consequences that can result from a failure to do so).

Some important reminders

Particular GDPR requirements emphasised by the Google decision which all organisations should ensure they are complying with are:

  • The need to provide clear and comprehensive privacy information to data subjects before undertaking any processing of personal data. In particular, data subjects should not be required to peruse lots of different documents/take numerous actions before they can obtain a clear picture of what personal data is being collected and what it is going to be used for.

  • Privacy notices should clearly set out the legal bases that are being relied upon in relation to different types of processing activity.

  • Organisations should not use their privacy notices as a means of obtaining blanket consent to processing. Such consent will not be valid. This is since the GDPR requires that consent is specific (which means that data subjects should be given the chance to consent to some types of processing but not others).

  • Where organisations use consent as the lawful basis for a processing activity, such consent must be unambiguous. This means that there must be a clear affirmative action on the part of the data subject indicating consent. Pre-ticked boxes should not be used.

If you’d like any further information about the Google ruling or how you can ensure your organisation doesn’t make the same mistakes, please do not hesitate to contact a member of our Information Law Team.

RELATED:INFORMATION LAW >>GELDARDS GUIDE TO GDPR >> EMPLOYMENT >>


FROM THE ADVICE CENTRE

News

Land Transaction Tax - Are you ready for 1st April?
02/02/2018
Land Transaction Tax (“LTT”) will take effect from 1st April 2018 and, alongside Landfill Disposals Tax, will be the first new tax in Wales for 800 years.
more...

Events

Network Derby -  Membership Renewal
01/01/2018
As we enter into another year of Network Derby, our community continues to develop providing regular opportunities for local business people to network, share ideas, develop new skills and foster new business contacts.
more...

Blogs

Cyber-Security Issues & Increased Obligations under the GDPR
15/02/2017
The National Cyber Security Centre (NCSC) opened this week and is promised to be the “authoritative voice on information security in the UK”.
more...

Publications

Geldards Guide to General Data Protection Regulations (GDPR)
27/01/2017
The General Data Protection Regulation (‘GDPR’) is the new EU data protection framework replacing the current Data Protection Directive implemented in the UK by the Data Protection Act 1998.
more...

PARTNER

Debra Martin

DEBRA MARTIN

Partner, Derby

+44 (0)1332 378 355
email
more...

PARTNER

Lowri Phillips

LOWRI PHILLIPS

Partner, Cardiff

+44 (0)29 2039 1758
email
more...

PROFESSIONAL SUPPORT LAWYER

Helen Snow

HELEN SNOW

Professional Support Lawyer, Cardiff

+44 (0)29 2039 1497
email
more...