Google’s €50m GDPR Fine Heralds a New Era
Infosecurity Magazine | January 22, 2019
In the first major regulatory action of the GDPR era, Google has been fined €50m ($57m, £44m) in France for failing to notify users about how their data is used. French regulator CNIL issued the fine this week after complaints by two rights groups, noyb and La Quadrature du Net (LQDN), one of which was filed on the day the new legislation came into force. CNIL claimed it observed two breaches of the GDPR. First, Google violated the obligation of transparency because “essential information” on how users’ data is processed to personalize ads is spread out across multiple documents. In addition, some of the info “is not always clear nor comprehensive,” the regulator said. Second, Google did not have a legal basis to process data for ad personalization because user consent was not validly obtained. The reason for this, again, is that user consent is not sufficiently informed, given the difficulty of locating the relevant info across numerous documents.