Google issued with £44m fine over GDPR breach

Google is under fire as Ad personalisation causes a GDPR breach, leading to a fine of £44 million pounds. why is this a breach? SA Law Data expert Chris Cook explains more.

French data regulator, CNIL, has issued Google with a £44 million (€50 million, $57USD million) fine for a breach of the EU's General Data Protection Regulation (GDPR) after complaints were lodged by two privacy rights groups against the company, one of these on the day the GDPR came into effect.

The groups claimed that Google did not have a valid legal basis, as required by the GDPR, to process user data for ad personalisation. In its finding, CNIL cited a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.”

CNIL stated that Google had not obtained clear consent from users to process data because necessary information was provided over several documents, accessible only after taking several steps. Also, when signing up, the option to personalise ads is pre-selected and users give consent for ALL the processing operations carried out by Google. This is contrary to the GDPR which requires that consent is given for each specific purpose.

Google has said that it is "studying the decision" to determine its next steps and that they are "deeply committed to meeting those expectations and the consent requirements of the GDPR."

Find out more about the ICO's guidelines on consent under the GDPR that clarifies key issues regarding consent and when it should be relied on as a lawful basis for processing personal data.

What does the Google GDPR breach mean for businesses?

This decision highlights the importance for companies of thoroughly analysing all operations involving the processing of personal data to ensure GDPR-compliance and demonstrates the authorities’ readiness to enforce the available sanctions.  

Read more about processing of personal data and the difference between controllers and processors under the GDPR.

How are GDPR fines calculated?

French data regulator, CNIL reported that "The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent."

Find out more about GDPR fines and sanctions. Read SA Law's guide to the GDPR and download the 5 stages to GDPR compliance infogaphic here.

CONTACT CHRIS

If you would like more information or advice relating to this article or an Employment law matter, please do not hesitate to contact Chris Cook on 01727 798089.
Read our latest views & insight about the GDPR

© SA LAW 2019

Every care is taken in the preparation of our articles. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.