Yesterday French data regulator CNIL fined technology and search engine giant Google the equivalent of $57 million; Google allegedly breached the EU’s GDPR privacy regulation. The fine represents the largest GDPR penalty yet decided since the law came into effect in May of last year.
The fine punishes Google for “lack of transparency, inadequate information and lack of valid consent regarding ads personalization.”
CNIL explained their decision in more detail:
- According to the decision, “users are not able to fully understand the extent of the processing operations carried out by Google.”
- “The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent.”
- Creating a Google account mandates users consent to personalized ads without their full knowledge. “The GDPR provides that the consent is ‘specific’ only if it is given distinctly for each purpose,” said CNIL.
In a statement, Google expressed their commitment to complying with GDPR mandates and to providing transparency in its data collection. However, they are currently studying the decision, most likely to determine whether it can file an appeal on an injunction.
What The CNIL Fine of Google Means for GDPR
Even their appeal fails (should they file one), $57 million represents little more than a speed bump to Google; the world’s most famous search engine made over $33 billion last quarter alone. Additionally, CNIL seemingly did not flex their full power on Google. GDPR allows for fines up to 4% of a company’s annual global revenue for a penalty. In Google’s case, this would constitute far more than $57 million.
However, the increasing size of GDPR fines indicates how serious the EU intends to take its new privacy regulation. Most likely, this represents only the beginning of GDPR showing its strength; the fine will increase and will only become steeper.
Therefore, enterprises need to wake up to the increasing privacy demands of their governments and carefully analyze what consumer data they collect. They also need to consider how their consent platforms work and if they are complying with the proper regulations in obtaining consent.
Furthermore, enterprises must also recognize GDPR and other privacy regulations do not just come from the top down. After all, even without the regulatory headaches, a data breach can cause a severe drop in customer trust and in long-term revenue. A $57 million fine may only be a hiccup for Google, but it can shutter other enterprises in an instant.
To gain a little more perspective, we sought the counsel of some cybersecurity experts. Here’s what they told us.
Anurag Kahol, CTO and Co-Founder, Bitglass
“Google being fined for its noncompliance with GDPR will likely pave the way for penalties for other prolific companies that have not yet met the demands of the new law. Until this point, data protection authorities have been incredibly patient with companies – GDPR has been in full effect for nearly a year now.”
“However, it seems this grace period is more or less passing. While Google may be able to absorb this financial penalty, other companies are likely not large or successful enough to do so. This instance should be a wakeup call for organizations everywhere to begin taking data privacy far more seriously.”
Jonathan Bensen, Interim CISO, Balbix
“CNIL’s decision to fine Google does not seem to be aimed towards solving the issue, but towards making money. Most people should be aware that if they want enhanced digital services, they must pay the price of giving some reasonable amount of privacy away.”
“If CNIL wanted to take a step in the right direction, they should suggest Google change the language in its Terms of Service versus imposing a fine without offering a solution. While it is possible to run an Android phone without a Google account, it makes it almost unusable. The same argument can be made about iPhones and needing an account with Apple. You can run the phone without one, but it severely limits the capabilities of the device.”
David Ginsburg, Vice President of Marketing, Cavirin
“If anyone had doubts about GDPR having ‘teeth’ and applying to US-based organizations, they can be put firmly to rest. Lack of transparency and misuse of data, only now receiving scrutiny in the US, is not an acceptable business practices in many other regions. I suspect Google will be only the first of many internet properties fined within the EU.”
Thank you to these cybersecurity experts for their time and expertise!
- Identity Management Lessons from the UC San Diego Health Attack - July 28, 2021
- The Biggest IAM News Items During the First Half of 2021 - July 27, 2021
- When is it Time to Replace Your Homegrown Identity Management? - July 26, 2021