Google got slapped with a penalty of €50 million Euro ($56.8 million) for a GDPR violation. This is the biggest penalty issued for a GDPR violation thus far.
The National Data Protection Commission (CSIL), a French GDPR supervisory authority, investigated the alleged GDPR violations of Google after getting two complaints from La Quadrature du Net and noyb, which are privacy rights groups. The first complaint was submitted on May 25, 2018 on GDPR compliance deadline day.
The complaints concerned the way Google processes user data for personalizing advertising campaigns. It was alleged that Google didn’t have a valid legal basis to process user data and had not obtained clear authorization to do so from users.
Although information regarding its data processing activities was available to users, the information was distributed across a number of documents, thus it was not clear to consumers how Google processes personal information. As per CSIL, a consumer must take five or six steps to discover vital information regarding Google’s processing activities associated with personalized ads and, as a result, users could not easily understand how Google processed their information. The lack of transparency concerning the processing of user data in connection with serving personalized advertisements left consumers uninformed about the “particularly massive and intrusive” data processing behind serving personalized advertisements, according to CSIL.
When consent was obtained, Google used pre-checked consent forms requiring users to just click to accept its privacy policies. This is another violation of GDPR. When acquiring consent, users should manually mark check boxes to indicate their consent to each element. Consent should be definitely provided by means of a precise opt-in process.
The scope of the GDPR violations, which are continuing, called for a sizable fine. The highest penalty for severe GDPR violations is €20 million ($22.73 million) or as much as 4% of global yearly turnover, whichever is higher. Though the €50 million penalty is big, it falls short of the highest possible penalty that could be issued on Google, which is about $4.4 billion based on its $110.8 billion annual turnover in 2017.
The complaints filed with CSIL are two of many complaints filed against Google in relation to GDPR. Consumer groups in a number of EU countries have submitted complaints over what are deemed to be deceitful privacy practices. If the complaints are substantiated, Google will face even more fines.
Google has responded to the GDPR penalty by issuing a statement saying it is seriously committed to transparency, control, and consent as demanded by GDPR and will review CSIL’s decision to figure out what actions need to be taken.
The huge GDPR violation penalty gives a clear message to big technology companies and entities that gather or process the information of EU residents. They need to comply with all facets of GDPR requirements or violators will face serious penalties for noncompliance.