What does Google € 50 million GDPR fine mean for privacy compliance?

The € 50 million fine issued by the CNIL against Google for breach of GDPR obligations might lead to a major change to the privacy compliance approach.

You can read a more detailed article in English on the topic below or watch its summary in Italian in the video below as part of my videoblog “Diritto al Digitale“.

The CNIL € 50 million fine against Google for GDPR breach

The major news of the last days in the privacy world is definitely the issue of a fine of € 50 million by the CNIL, the French data protection authority, against Google for breach of GDPR obligations.

The case arose from complaints filed before the CNIL right after the 25th of May 2018 by two consumer associations against Google for

“not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalization purposes“.

Following the complaints, the CNIL reviewed the browsing pattern of users and the documents, they can have access, when creating a Google account during the configuration of a mobile equipment using Android. Following such review it concluded that there were the following breaches:

A violation of the obligations of transparency and information

Google was providing the information required under the GDPR (e.g.the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization), but the CNIL noticed that this information was disseminated across different documents with buttons and links on which it is required to click to access complementary information. Users had to perform 5 or 6 actions actions to get access to the GDPR required information on the data processing activities and the information was not always clear and comprehensive.

The consequence of the above was that – according to the CNIL – users are not in the position to understand how their personal data are processed. And this is deemed a major issue also because of the number of services offered by Google which trigger the processing of a large amount of personal data. In particular, the CNIL emphasized that users could not understand

• the actual purposes of processing,
• the categories of processed personal data and
• the legal basis of processing for the ads personalization that is consent, rather than the legitimate interest of the company

since they were descrived in a too generic and vague manner and the retention period was not provided for some data.

A violation of the obligation to have a legal basis for ads personalization processing

The legal basis of the ads personalization service according to Google’s privacy information notice is consent and the CNIL believed that such consent was not validly obtained because of

• the lack of information on how personal data collected from the different Google services (e.g. Google search, YouTube, Google home, Google maps, Playstore, Google picture) are combined for the purposes of ads personalization; and
• the lack of a “specific” and “unambigous” consent because users had to click on “More Options” to have more flexibility on the type of given consent and such consents were by default pre-ticked which is not in line with the GDPR, while the CNIL believes that consent is specific only if separate for each purpose of the data processing.

How was Google € 50 million GDPR fine calculated?

The CNIL deemed the € 50 million fine appropriate because of

• the severity of the privacy related breaches;
• the continuity of the breaches that were not one-off, time limited infringements;
• the impact on a large amount of individuals and
• the relevance of ads advertising on Google’s economic model.

The French data protection authority does not clarify the mathematic calculation performed to reach the amount of € 50 million. Indeed, as mentioned in my previous article “Are privacy fines really massive under the GDPR?“, GDPR fines are up to € 20 million or 4% of the total worldwide turnover of the previous year and take into account

• the concept of underkating, which goes beyond a legal entity, but considers the economic unit taking the decision which led to the breach;
• the need for fines to be effective, proportionate and dissuasive; and
• the nature, gravity and duration of the infringement on the basis of a number of factors, such as the number of individuals affected, the intentional or negligent character of the infringement and any action taken to mitigate the damage suffered by individuals.

With reference to Google, if we consider the revenues published for 2017 in relation to the whole Alphabet group, these are of $ 110.9 billion

which means that Google risked a $ 4.4 billion fine!

What’s the impact of Google fine on privacy compliance?

If we look at the figures above, it might appear that the € 50 million fine against Google for GDPR breach was actually a very good deal! It is also true that fines issued during the previous months by European data protection authorities for GDPR breaches had a much lower amount.

The point is whether the € 50 million GDPR Google fine will lead to a new approach by European privacy authorities that have been reluctant to issue severe fines during the last months, also because of some GDPR principles whose scope still has to be clarified. But the CNIL decision might set a higher threshold of compliance.

And indeed, we noticed in a number of privacy audits a tendency to make the mistakes raised by the CNIL since often

• the wording of privacy information notice is too vague and does not allow individuals to actually understand how their personal data are processed;
• there are privacy information notices that relate to any possible business of the company which make them often totally unintelligible;
• the applicable legal basis of the data processing is not clarified in a transparent manner, with some data processing activities that can be based on multiple legal basis, without explaining when each one applies and using legitimate interest as a sort of “catch-all” legal basis for when you cannot justify a data processing activity; and
• the data retention periods that are not expressly mentioned, but vaguely referred as a period of time adequate to the purposes of the data processing (Read on the topic “Data retention period, an intrigued rebus under the GDPR“).

Definitely there will be lots of work to do in the coming months since the “GDPR era” just started!

As mentioned above, you may read more on how GDPR fines are calculated in this article”Are privacy fines really massive under the GDPR?“. And if you found the article interesting, please share it on your favourite social media and register to our newsletter.