With successful prosecutions of organizations already making headlines under the General Data Protection Regulation (GDPR), it may come as no surprise to hear of the recent ruling against Google. What has taken some observers aback, however, is the size of the fine and the focus of the violations—specifically, for doing the kinds of things a lot of businesses have always done routinely.
On January 21, the French CNIL made news around the world when it fined Google €50 million for breaking the law around data protection, in an investigation dating back to June 2018.
The CNIL investigation surrounded user consent for ad personalization. Violations were found for:
Under GDPR, the CNIL believes that the way that Google collected consent lacked transparency and did not provide a legal basis for processing customer data. One item noted was that essential information was not easily accessible, with details like data retention periods and data processing purposes only being found through multiple steps and across different documents.
With large companies likely to be receiving the most complaints, it’s easy to see why they are the initial targets for investigation by European data protection authorities (DPAs). However, being a multibillion-dollar global company, one might think that Google has the best teams working on their data-management processes.
So, why do they get it wrong? Potentially, it is just teething issues as companies get used to new ways of working. It could also be that DPAs are taking a hard line in the first few years of the new governance to ensure businesses take the regulations seriously. Equally, it could be a lack of understanding of legislation, or that businesses are testing the water to see what they can get away with.
Whatever the reasons, it is plain to see that being compliant with GDPR requires attention and hard. It’s equally plain that—as expected and even stated explicitly by European authorities before GDPR went into effect—enforcement agencies are willing to implement harsh penalties for non-compliance.
Many businesses will be watching this ruling with interest, and there are a few points to note.
It is standard practice for the data protection authority of the EU country where the company being investigated has its main base to take the lead in any inquiry. In this case, Google’s headquarters are in Ireland. However, the Irish DPA did not take the lead, instead allowing the French CNIL to manage the investigation. The CNIL argued that the Irish HQ could not be considered its main base due to a lack of decision-making power relating to its Android operating system. It would seem that the French authority really wanted to lead the investigation and bypass the “one-stop shop” principle in the EU law.
Secondly, and perhaps the most obvious, is the size of the fine handed to Google. GDPR allows penalties of up to €20 million or 4 percent of turnover. €50 million is a record GDPR fine so far, which shows that DPAs are not afraid to bring to bear the full force of the law. However, it could be construed that as a major global corporation, Google is being used to set an example to other companies that they need to take GDPR seriously.
The findings don’t just put Google in the firing line; the ruling could impact many other businesses as the Google model is one of the advertising platforms most used by companies around the world. There will be a lot of scrambling over the coming weeks across industries to ensure consent processes are fully compliant.
The penalty also has a knock-on effect for every organization that uses Google to collect data in some form. The EU courts have already ruled that companies that use Facebook landing pages are liable (as joint controllers) for the data that Facebook collects—whether they knew about the data collection or not. The onus on companies to be proactive in their compliance, and understand that ignorance is not a defence, is a huge change in mindset and the repercussions could be huge.
Apart from reviewing your data collection processes, and those of any third party that you work with, the ruling has the possibility to be wider reaching. While the verdict points out Google’s use of consent specifically, the principles of the ruling can be applied across the board for how companies are managing (or not managing) consent.
Having the underlying processes in place for how you collect data, what you do with it, and proving informed consent and transparency are key parts of staying compliant.
Ventiv’s data governance module works with Ventiv IRM to give you a platform on which to build your compliance processes. It should be a big part of your data-protection compliance plan. Find out how your company can stay compliant with the help of Ventiv.
Feb 12, 2019