Google issued with £44m fine over GDPR breach

Google is under fire as Ad personalisation causes a GDPR breach, leading to a fine of £44 million pounds. why is this a breach? SA Law Data expert Chris Cook explains more.

French data regulator, CNIL, has issued Google with a £44 million (€50 million, $57USD million) fine for a breach of the EU's General Data Protection Regulation (GDPR) after complaints were lodged by two privacy rights groups against the company, one of these on the day the GDPR came into effect.

The groups claimed that Google did not have a valid legal basis, as required by the GDPR, to process user data for ad personalisation. In its finding, CNIL cited a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.”

CNIL stated that Google had not obtained clear consent from users to process data because necessary information was provided over several documents, accessible only after taking several steps. Also, when signing up, the option to personalise ads is pre-selected and users give consent for ALL the processing operations carried out by Google. This is contrary to the GDPR which requires that consent is given for each specific purpose.

Google has said that it is "studying the decision" to determine its next steps and that they are "deeply committed to meeting those expectations and the consent requirements of the GDPR."

Find out more about the ICO's guidelines on consent under the GDPR that clarifies key issues regarding consent and when it should be relied on as a lawful basis for processing personal data.

What does the Google GDPR breach mean for businesses?

This decision highlights the importance for companies of thoroughly analysing all operations involving the processing of personal data to ensure GDPR-compliance and demonstrates the authorities’ readiness to enforce the available sanctions.  

Read more about processing of personal data and the difference between controllers and processors under the GDPR.

How are GDPR fines calculated?

French data regulator, CNIL reported that "The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent."

Find out more about GDPR fines and sanctions. Read SA Law's guide to the GDPR and download the 5 stages to GDPR compliance infogaphic here.

CONTACT CHRIS

If you would like more information or advice relating to this article or an Employment law matter, please do not hesitate to contact Chris Cook on 01727 798089.

Read our latest views & insight about the GDPR
GDPR Numbers Image SA Law
Views & Insights
GDPR one year on

Subject access requests and complaints have been commonplace since the GDPR came into effect. Find out more about the trends and traps.

Read More
SA Law Red arrow neon light image
Views & Insights
What to expect in Data Protection Law in 2019

Our Data Protection Team highlight what we can expect to see from the Data Protection Act in 2019 and the potential impact of E-Privacy Regulations.

Read More
SA Law Red arrow neon light image
Views & Insights
What is the difference between a controller and processor under the Data Protection Act 2018?

Partner and Head of Employment & Data Protection, Chris Cook describes how to distinguish between a processor and controller under GDPR.

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR - 6 Months On

Partner and Head of Employment & Data Protection Chris Cook comments on the impacts of GDPR over the past 6 months.

Read More
SA Law Red arrow neon light image
Views & Insights
ICO publishes passwords and encryption guidance

Partner, Chris Cook, identifies the new ICO guidance on passwords in online services and encryption under GDPR.

Read More
Stained glass window Employment SA Law
Views & Insights
GDPR and SARs; staying compliant and protected

Partner and Head of Employment & Data Protection, Chris Cook writes in Education Executive about the GDPR and SARs.

Read More
Red arrow light
Views & Insights
Divorce and the GDPR

In the Financial Times Adviser, Marilyn and Chris discuss the implications of being jointly instructed by one party in the proceedings.

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR: A five step guide to dealing with a data breach

Chris Cook shares a five step guide to dealing with a data breach including assessing risk & reporting.

Read More

© SA LAW 2019

Every care is taken in the preparation of our articles. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.