momius - stock.adobe.com

Google GDPR fine of $57 million sets record

The Google GDPR fine of $57 million marks the first time a major tech company has been penalized under Europe's new privacy regulations. But the fine is less than the maximum allowable penalty.

The first major U.S. tech company to run afoul of the European General Data Protection Regulation privacy laws is Google, as a record fine was levied against the company on Monday.

France's National Commission on Data Processing and Liberty (CNIL) imposed the Google GDPR fine of 50 million euros -- approximately $57 million -- based on complaints received by two different groups. CNIL received group complaints on May 25, 2018, which was the same day GDPR officially went into effect, and May 28 from None Of Your Business (NOYB) and La Quadrature du Net -- two digital privacy advocacy groups based in Vienna and Paris, respectively -- the latter of which represents 10,000 people.

CNIL said it immediately began investigating in cooperation with other European privacy agencies. The investigation showed information pertaining to Google's ad personalization is not easily accessible by users, because it is "excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information."

"Users are not able to fully understand the extent of the processing operations carried out by Google. But the processing operations are particularly massive and intrusive because of the number of services offered (about twenty), the amount and the nature of the data processed and combined," CNIL wrote in a blog post. "The restricted committee observes in particular that the purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes."

CNIL also determined the consent Google obtained for ad personalization was not valid due to the following reasons: Users were not aware of the extent to which data would be processed and combined, and consent must be specific and unambiguous. Google failed this in regard, because the option to display personalized ads on Google was "pre-ticked." According to CNIL's blog post, per GDPR rules, "consent is 'unambiguous' only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance)."

Max Schrems, chairman of NOYB, hailed the Google GDPR fine as "the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law."

"Following the introduction of GDPR, we have found that large corporations such as Google simply 'interpret the law differently' and have often only superficially adapted their products," Schrems said in a statement. "It is important that the authorities make it clear that simply claiming to be compliant is not enough."

Ailidh Callander, legal officer for Privacy International, a privacy rights charity based in London, praised the Google GDPR fine. "In order for GDPR to be effective at protecting people's data, it must be implemented and enforced," she said.

"Despite numerous statements by Google that it takes the protection of people's data seriously, the decision demonstrates that they have a long way to go and that regulators will take action to hold companies that fail to comply with GDPR to account," Callander said in a public statement. "This fine should serve as a wake-up call for all companies whose business models are based on data exploitation to take data protection and individual's data rights seriously. Whilst 50 million euro may not seem a lot to Google, it is just a single fine and regulators should continue to take action on other pending complaints."

The maximum penalty Google could have faced was 4% of its global revenue for the prior year, which would have been more than $4.7 billion in Google's case. CNIL said the Google GDPR fine and publicity of the fine "are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent."

Google said it would be appealing the fine.

"We've worked hard to create a GDPR consent process for personalized ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing," a Google spokesperson said. "We're also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond. For all these reasons, we've now decided to appeal."

Dig Deeper on Compliance