French data regulator, CNIL, has issued Google with a £44 million (€50 million, $57USD million) fine for a breach of the EU's General Data Protection Regulation (GDPR) after complaints were lodged by two privacy rights groups against the company, one of these on the day the GDPR came into effect.
The groups claimed that Google did not have a valid legal basis, as required by the GDPR, to process user data for ad personalisation. In its finding, CNIL cited a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.”
CNIL stated that Google had not obtained clear consent from users to process data because necessary information was provided over several documents, accessible only after taking several steps. Also, when signing up, the option to personalise ads is pre-selected and users give consent for ALL the processing operations carried out by Google. This is contrary to the GDPR which requires that consent is given for each specific purpose.
Google has said that it is "studying the decision" to determine its next steps and that they are "deeply committed to meeting those expectations and the consent requirements of the GDPR."
Find out more about the ICO's guidelines on consent under the GDPR that clarifies key issues regarding consent and when it should be relied on as a lawful basis for processing personal data.
What does the Google GDPR breach mean for businesses?
This decision highlights the importance for companies of thoroughly analysing all operations involving the processing of personal data to ensure GDPR-compliance and demonstrates the authorities’ readiness to enforce the available sanctions.
Read more about processing of personal data and the difference between controllers and processors under the GDPR.
How are GDPR fines calculated?
French data regulator, CNIL reported that "The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent."
Find out more about GDPR fines and sanctions. Read SA Law's guide to the GDPR and download the 5 stages to GDPR compliance infogaphic here.