What we can learn from Google’s 50M fine for violating GDPR

Google’s fine was the largest ever levied in response to a GDPR breach. But what bearing does it have on your organization?

The EU and EEA implemented the GDPR (General Data Protection Regulation) some time ago, but the practical application of its provisions is still raising doubt and controversy.  If you’re involved in GDPR compliance in your own organization, it’s worthwhile to stay informed on the various opinions and positions regarding its application. They may prove helpful in ensuring your own compliance.   

The recent 50-million-euro fine handed down to Google sets a particularly striking example of what GDPR compliance is and isn’t.  Why was Google fined? And what can we learn from their case?

Why Google was fined

On January 21, 2019, the French supervisory body CNIL (Commission nationale de l'informatique et des libertés) found Google did not comply with GDPR rules – specifically, in failing to meet its information obligation towards the persons whose data the multi-national company had been processing.  This charge rested on two key areas:

1. Improperly meeting its information obligation

While Google does provide privacy notices and other required documents, basic information – such as data processing purposes, data storage times, and the type of data used for personalizing ads – is dispersed across various documents. In turn, these contain references to other documents and occasionally require users to go back to previous sections as they read through them.

To uncover what’s happening to their data, Google users may have to perform multiple actions, sometimes five or six for a single task. This includes following various links and clicking on several buttons. Plus, document titles chosen by Google do not always accurately reflect the document content, which can confuse or mislead users.

The CNIL also concluded that Google imprecisely described or over-generalized a lot of the information required by the GDPR.  Explanations about why data is processed, the data categories used, or the legal bases for such processing were not presented with sufficient clarity. This information is vital from the user's point of view, and having it imprecisely rendered is in breach of the GDPR transparency rule.

2. Lack of valid consent for ad personalization

The other charge against Google is a lack of valid user consent to the data used for ad personalization.  According to the CNIL, users have not been duly informed of what this processing entails, i.e. the number of services, pages, or applications which process their data.  Consequently, users may have provided a lot of information about themselves without being aware of how and by whom such data may be used.

It should be noted that Google users can configure ad personalization options during the registration process. However, Google’s solution does not comply with GDPR rules because the default setting is one of consent. Additionally, using one consent statement to cover the processing of users’ data for more than one purpose is not in compliance with GDPR requirements. Such an agreement may not be deemed specific and explicit.

What we can learn from Google

The above ruling should prompt administrators to draw the following conclusions as to good GDPR practices:

• All information for persons whose data is processed should be provided in a transparent and clear way.  Use plain language and avoid expressions like "we process data for our own justified needs" or "we use proper means". Since these don’t indicate what these needs or means are, they render the information useless.
• Document titles should reflect the actual content of the document. They should not mislead the user. For example, Google’s information on the time period of storing data was placed in a document titled "Exporting and Deleting Information", which the CNIL deemed as not sufficiently clear.
• All Information required by the GDPR should be appropriately specified and defined. The purpose of data processing should be clearly expressed and should explicitly state the data categories and the legal basis (or bases) for its processing.
• Information clauses should be clearly separated from other regulations; they should not be part of the general rules and regulations, service provision terms, etc.
• Access to basic information should be fast and easy. An approach in which the information is layered (first comes the basic facts, with more detailed information being provided in later stages) is allowed. However, the reference in such instances should be clear and should not keep transferring the user to other pages, or – even worse – take them back to the general document(s).
• If data processing is based on user consent, the consent should be closely tied to a specific processing purpose and should require the user to actively select the consent option. It should not have the option set to consent by default.
• A lack of clear and transparent information on data processing may lead to the user challenging their consent, which as a consequence means there is no legal basis for processing their data.

These guidelines are nothing new. They derive directly from GDPR regulations, yet they are frequently not observed. This is worth bearing in mind.

GDPR is not just a formality — it’s about informed choice

In conclusion, we can learn the following key lesson from Google’s fine: We should not just aim to comply with formal information requirements and obtain user consent; we must bear in mind that the user should truly be provided the opportunity to make an informed choice.

This poses a real challenge, particularly with the scope of information demanded by the GDPR and its expanded clauses. We should expect that supervisory bodies will scrutinise how companies meet their obligation to ensure the rights of the person whose data is being processed. Therefore, I recommend that administrators take care of their GDPR responsibilities sooner rather than later. In particular, I advise you to verify that all information obligations are properly met and all user consents are provided in a specific, informed, and explicit way.