France issues Google with the heaviest GDPR fine to date

The claims were brought against it just days after GDPR took effect

Google has been hit with a landmark 50 million GDPR fine, issued by the French privacy Watchdog CNIL - the largest in the GDPR's history.

The fine was issued following complaints made by two organisations, noyb (None of Your Business) and LQDN (La Quadrature du Net), back in May 2018 relating to Google's 'forced consent' to continue processing users' data.

Specifically, the complaint related to Android users who, when setting up a new Android phone, were forced to follow Android's onboarding process which included forced consent for the processing of their data. Both groups said Google had no legal basis to process the personal data of its users "particularly for ads personalisation purposes".

GDPR requires the data controller to provide its users with the option to opt-in to have their data processed whereas, before the regulation's implementation, users were required to opt-out.

"This is the first time that the CNIL has applied the new maximum penalties provided by the GDPR. The amount withheld, and the advertising of the fine, at first justified by the seriousness of the deficiencies that affect the essential principles of GDPR: transparency, information and consent," CNIL said in a statement.

The maximum fines for GDPR are 20 million or 4% of the company's annual turnover, whichever is greater. In this case, Google could have theoretically faced a maximum fine of almost 4 billion.

While 50 million is pocket change compared to the potential maximum fine that could have been issued - especially since 50 million was just 0.0005% of Google's annual turnover for 2017 - some believe it does at least show that GDPR is being taken very seriously by the powers that be. 

"The new fine facing Google will quickly dispel any lingering doubts that the EU would go easy on companies found in violation of the GDPR," said Matt Lock, director of sales engineering at Varonis.

"The news should be hitting companies like a cold shower. It's not a stretch to say that a proverbial storm is gathering as privacy groups rally to their cause and seek to uphold major global companies as examples of lax privacy controls.

"The news should serve as an impetus to organisations that have yet to prioritise their GDPR compliance programs and hoped to simply fly under the radar - their luck may be running out soon."

The landmark fine was justified by Google's lack of action following the claim. CNIL said that the violations are continuing to this day and are ongoing violations of the GDPR.

Schrems takes no prisoners

The privacy group noyb lead by Austrian lawyer and privacy advocate Max Schrems has also made the headlines for filing a further eight GDPR complaints on behalf of 10 users on Friday.

The companies in noyb's crosshairs include Amazon, Apple, Netflix, SoundCloud, Spotify and YouTube. The complaints were filed under alleged violations of Article 15 of the GDPR which relates to the users' right to access their own data.

"Many services set up automated systems to respond to access requests, but they often don't even remotely provide the data that every user has a right to," said Schrems.

"In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of users' rights, as these systems are built to withhold the relevant information."

Credit: noyb

The privacy group tested the aforementioned companies to see how well they complied with the specific requirement of GDPR "but no service fully complied," it said.

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

Improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Most Popular

Dell XPS 15 (2021) review: The best just got better

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022
Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
UK businesses urged to join four-day working week trial
Business operations

UK businesses urged to join four-day working week trial

17 Jan 2022