French data regulator, CNIL, has issued Google with a £44 million (€50 million, $57USD million) fine for a breach of the EU's General Data Protection Regulation (GDPR) after complaints were lodged by two privacy rights groups against the company, one of these on the day the GDPR came into effect.
The groups claimed that Google did not have a valid legal basis, as required by the GDPR, to process user data for ad personalisation. In its finding, CNIL cited a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.”
CNIL stated that Google had not obtained clear consent from users to process data because necessary information was provided over several documents, accessible only after taking several steps. Also, when signing up, the option to personalise ads is pre-selected and users give consent for ALL the processing operations carried out by Google. This is contrary to the GDPR which requires that consent is given for each specific purpose.
Google has said that it is "studying the decision" to determine its next steps and that they are "deeply committed to meeting those expectations and the consent requirements of the GDPR."
What does the Google GDPR breach mean for businesses?
This decision highlights the importance for companies of thoroughly analysing all operations involving the processing of personal data to ensure GDPR-compliance and demonstrates the authorities’ readiness to enforce the available sanctions.
How are GDPR fines calculated?
French data regulator, CNIL reported that "The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent."