Yet when May 25th 2018 came and went with no eye-watering fines hitting the headlines, businesses breathed a sigh of relief and carried on. Since then, we have seen a number of small fines, including €400,000 to a Lisbon hospital and €20,000 to a German social media company, yet the large fines of 4% of global turnover had failed to materialise. This all changed on the 21st January this year, when the French data protection watchdog, CNIL fined Google a staggering €50 million following a breach of GDPR. So is it time to dust off those GDPR papers from last year?
Of course, this is a drop in the ocean for Google considering their €30 billion turnover last quarter, but the fine does demonstrate a willingness to implement GDPR and deliver harsh penalties to those who are not following the rules. This fine stems from a number of complaints which were made the day that GDPR was introduced by NOYB, a not-for-profit organisation run by Max Schrems1 - a self-styled privacy champion.
The investigation’s findings showed that Google breached the GDPR multiple times by violating the obligations to be transparent and provide information to data subjects as well as failing to obtain consent for personalised advertisements. CNIL have stated that, in regards to the first breach ‘essential information… [is] excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information’ making it difficult for data subjects to view. The second violation was due to a pre-checked consent box which did not comply with the affirmative action required under Article 4(11) of the GDPR. This is not the cloak-and-dagger misdemeanours of the Facebook and Cambridge Analytica scandal, but poor website layout which could easily have been remedied with a thorough risk assessment.
Google has announced that it will appeal the fine2 , they did release a statement declaring that it is ‘committed to meeting those expectations and the consent requirements of the GDPR’. This fine sets a potentially expensive example for the other companies who may be targeted by NOYB including Amazon Prime, Apple Music, Netflix, Spotify and YouTube. It is little doubt that they’ll be waiting with baited breath to see if a similar penalty lies on the horizon for them.
To find out more please get in touch with your usual Gallagher representative.
Sources:
- https://www.edwincoe.com/blogs/main/data-privacy-fine-google/
- https://www.businessinsider.com/google-appeals-57-million-fine-for-breaching-gdpr-privacy-rules-2019-1
