Earlier this year, Google was fined £44 million (50 million euros) by the French data regulator for breaching the data protection rules under GDPR. To date, this is the largest fine issued since GDPR came into force.
Why was Google fined?
In May 2018 the General Data Protection Regulation (GDPR) came into force, requiring each European Union member state to introduce GDPR into their national legislation.
As soon as GDPR came into force, complaints against Google, citing failings to meet fundamental principles under GDPR, were filed by two privacy rights groups. Google was subsequently fined by the French regulator principally for two main failures under the new regulations: lack of transparency and not obtaining valid consent for personalised advertising.
Essentially, the regulators found that individuals were not sufficiently informed about how Google collected data to personalise advertising.
Why is this fine significant?
At £44 million, this fine is the largest ever to be issued under GDPR. Considering that under the previous Data Protection Act 1998, the maximum fine that was permitted in the UK was limited to £500,000, Google’s fine is comparatively large.
However, it could have been much worse. Under GDPR, the maximum fine is limited to the higher of £20m or 4% of annual global turnover; which means that for Google, the fine could have been closer to £4 billion.
The level of the fine issued against Google is a reflection of the gravity of Google’s failings to meet the requirements which were introduced under GDPR. Even though the French regulator fined Google, the principles under which Google was fined against also apply to businesses processing personal data in the UK.
Key tips to avoid breaches
As the first major fine under the GDPR, this record-setting fine is significant. If your business collects or processes personal data, it is important to consider the following tips:
Ensure your business is transparent:
, Make the essential information clear to understand; and
, Make it easy for individuals to find the essential information. Information disseminated across a range of documents will not meet this requirement and individuals should not have to take 5 or 6 steps to access the information.
Obtain clear consent from individuals:
, Avoid using sweeping statements to obtain consent;
, Avoid using pre-ticked boxes to indicate consent has been provided; and
, Sufficient and clear information should be provided so that individuals are clear what they are consenting to.