French data protection regulator CNIL has imposed a €50 million ($57 million) fine on tech giant Google for failing to comply with the EU’s General Data Protection Regulation (GDPR).
The EU privacy law, which took effect last May, is among the most strict set of data privacy regulations in the world and creates several protections for users on how their personal data can be used. Within minutes of the law taking effect, complaints were filed against several companies, including Google, Facebook, Apple, Amazon, and LinkedIn.
In order to streamline cases, the GDPR provides that one EU regulator take the lead in data privacy cases. In Google’s case, that was French regulator CNIL, which fielded several original complaints against the tech company. CNIL said it carried out online inspections of Google in September, based on the complaints it received.
In a statement, CNIL said it issued the fine because Google did not meet the law’s standards for providing enough clear information about its policies on data collection and make them easily accessible to users, nor did it obtain sufficient user consent for ad personalization across each of Google’s many services.
“The information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company,” the French regulator said in a statement. “Finally, the restricted committee notices that the information about the retention period is not provided for some data.”
Time for a GDPR Compliance Audit?
For internal auditors, the case may serve as a wake-up call to put GDPR compliance on the audit plan. Penalties for non-compliance can be quite severe. A fine up to €20 million ($23.5 million) or up to 4 percent of the annual worldwide revenues of the preceding financial year can be levied for violating certain provisions of the regulation. While Google’s $57 million fine seems substantial, Google may have gotten off easy. For Google, the 4 percent penalty would amount to nearly $4.5 billion.
Cases against Apple, Instagram, Facebook, LinkedIn, and many others remain pending. The fine against Google could embolden data privacy advocates and watchdogs to bring complaints against more companies. 