It’s been less than a year since the EU’s implementation of the GDPR (General Data Protection Regulation) and Google has already been caught on the wrong side. The company was fined €50 million ($57 million) for infringing on the privacy laws set forth by the GDPR.
The fine was imposed after Google was sued by the French data privacy authority, CNIL, following two complaints.
The complaints were received by the CNIL in June 2018, just one month after GDPR went live. The fine has brought a lot of worries among companies operating in the EU, and even Google themselves warn that it may hurt their business.
Google finds itself at the center of increasing scrutiny around privacy. In response to the fine, Google claimed that they were committed to observing consent requirements and that they would adjust their services to suit the laws.
At the same time, they warned, in their official statement in response to the fine, that any changes to data privacy policies could be bad for their business:
“Changes to our data privacy practices, as well as changes to third-party advertising policies or practices may affect the type of ads and/or manner of advertising that we are able to provide which could have an adverse effect on our business…If we do not provide superior value or deliver advertisements efficiently and competitively, our reputation could be affected, we could see a decrease in revenue from advertisers and/or experience other adverse effects to our business.”
Considering that 86% of their revenue came from their ads, it’s no wonder they may be shaken up by the decision.
After the CNIL conducted their investigations, they found that Google had violated two laws set forth by GDPR. The first violation was Google obscuring information about how a person’s data is stored and used. In most cases, CNIL found, the information was difficult to come by and involved between five to six actions. In other cases, the information was vague and sometimes even not available.
CNIL found the second violation in Google’s broad obligation to consent. According to GDPR, consent should be specific for each service provided and not generalized across all the company’s services. Moreover, the consent required is ambiguous in that the options are either pre-ticked or non-specific.
This was not the first case to be adjudicated over the GDPR regulations, but it certainly is the highest fined issued so far. It isn’t the first time Google has found itself on the other side of the law either, but prior to GDPR, a company could only receive a maximum fine of €150,000.
Despite the huge fine, though, it’s nothing compared to what it could be. GDPR allows for a company to be fined up to 4% of its annual turnover, which for Google could mean billions of dollars.