Google LLC has been fined 50 million euros by CNIL (the French data protection regulator and ‘lead authority’ in this matter) for breaches of GDPR. CNIL said Google’s processes in relation to its advert personalisation lacked transparency, contained inadequate information and lacked valid consent.
CNIL felt that essential information, such as data processing purposes, storage periods and categories of personal data, were excessively disseminated across several documents, with buttons and links. This meant that information could only be obtained after taking several steps. It also felt users were not able to fully understand the extent of the processing activities carried out by Google (which it said were particularly intrusive) and that consent was ambiguous involving pre-ticked boxes and generic consent to all processing (rather than consent to specific elements of processing).
The GDPR increased the penalty for breaching data protection requirements from £500,000 to 20 million euros (or 4% of global turnover if greater). There had been debate as to whether this would, in practice, result in higher penalties being awarded, as many regulators (including those in France and the UK) were slow to award maximum fines under the old law. However, this case is a warning to organisations that the regulators mean business and are not shying away from their new powers under the GDPR!