Google fined for breaking GDPR rules

Find out why Google was fined for allegedly breaking GDPR rules.

We are now approaching almost eight months since GDPR was first implemented into European law. Despite this, recent studies have suggested that 50% of UK businesses are still not fully compliant with the regulations. Up until now, there have been relatively few high-profile cases. The most notable examples included a Portuguese hospital having to fork out €400,000 for allowing too many employees to access patient records, and German chat website, knuddels.de, which was fined €20,000 after the personal details of over 330,000 users were compromised after a hacking incident.

All this changed on 21 January 2019 when it was reported that global giant, Google, had been fined €50 million (£44 million) by French data regulator, CNIL, for breaching some of the regulations. Google was said to have demonstrated “a lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”. In particular, CNIL claimed that “[u]sers are not able to fully understand the extent of the processing operations carried out by Google” because essential information was spread out over a number of documents.

Another issue was Google’s approach to consent. The option to personalise ads was pre-ticked when creating an account, something that breaks GDPR rules. The user should be able to opt in to personalised ads rather than opt out. CNIL also noted that “GDPR provides that the consent is ‘specific’ only if it is given distinctly for each purpose”. Ideally there ought to be several boxes to tick in order to provide consent for services such as personalised ads and direct email communications. Google has decided to appeal against the fine.

One of the more interesting features of this story is the extent of the fine. GDPR states that the maximum fine is either €20 million, or 4% of annual turnover, whichever is greater. Since Google’s parent company, Alphabet, turned over billions in profits the previous year, the fine could have been considerably more than £44 million.

All this leads to more questions than answers about the criteria needed to implement the maximum fine under GDPR. It will also be interesting to keep an eye on the appeal process. Should the fine go through, it would have important implications for the way mega-corporations, particularly those that rely on targeted advertising, like Facebook and Amazon, run their businesses models.

Falling foul of consent rules is not the only problem many businesses are having in complying with GDPR. According to cloud data firm, Talend, only 17% of UK organisations have correctly complied with private citizen data requests, whereby individuals should expect to access their personal data within a month after requesting it (Article 15). Seemingly most organisations, large or small, are having some difficulties in complying with GDPR, even almost eight months down the line.

More from Privacy

18/11/2024

Data Privacy in Job Recruitment

The online job-market business model involves building up a bank of CVs and matching those with possible job vacancies.  Unlike an old school recruitment …

Read post

21/10/2024

Smart TVs – Getting Smarter At Watching You

Kindus has described how connected devices harvest personal data and how that can be misused or breached either by the hosting  body or others …

Read post

30/09/2024

The SPAM Bomb

The symptoms of a SPAM, email or subscription bomb attack are almost impossible to miss.  The victim will suddenly receive a very large volume …

Read post

16/09/2024

NHS Federated Data Platform Progress

Those with long memories will recall the time and money spent by the UK NHS in the early years of this century to build …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories