GDPR Enforcement: How the 2019 Google Fine Made a Statement

The January 2019 fine of €50 million (US$57 million) imposed on Google for breaking privacy laws under the EU’s General Data Protection Regulation (GDPR) certainly showed that the GDPR rules quickly had big consequences for corporations and marketers and one for all companies to pay close attention to.

Here's the crux of the case: France’s data protection office (CNIL) found the tech giant in violation of the laws by failing to obtain adequate consent from users when processing their data for the purpose of personalized advertising. In addition, it was ruled that Google did not provide information that was clear and easily accessible to consumers about how their information is collected and held.

This was a landmark ruling, as it was the first time Google has been fined using the new rules stipulated by the pan-European GDPR. It was also CNIL’s first imposition of a fine under the GDPR regime. 

Under the GDPR, EU regulators have the power to fine companies 4% of their annual turnover or €20 million (US$23 million), whichever is greater.

The fine followed complaints made in 2018 by two European pressure groups, None Of Your Business (NOYB) and La Quadrature du Net. They accused Google and other major Internet companies, including Facebook, of not having a valid legal basis to process the personal data of users of its services, “particularly for ads personalization purposes”.

Let’s look a little deeper at the laws and background to this case.

The Background: GDPR Cracks Down on Data Privacy

Data protection had long been acknowledged as a distinct fundamental right under EU law. Under Article 8 of the European Convention of Human Rights (ECHR), a person’s right to protection with respect to the processing of personal data forms part of the right to respect for private and family life, home and correspondence.

Under EU law, data protection was regulated for the first time by the Data Protection Directive in 1995. However, with major advances in tech coming so rapidly over recent years – personalized, targeted digital advertising capabilities being one major component of this – the EU decided to introduce new legislation and adapt data protection rules.

In essence, it was determined that the law needed to be updated to make it fit for purpose in the current environment and create a modern framework for EU consumers. The GDPR became fully enforceable across the EU from 25 May 2018, placing a higher standard on data protection, privacy and security for the digital age. 

The GDPR has brought huge changes in the sphere of personal data protection, with many commentators describing it as the biggest shake-up in data protection, privacy, and security standards for over two decades.

The consequences for digital marketing teams and brands have been significant, with major analysis, adjustment, and action required by many to meet the standards set by the new laws. This has included auditing customer databases for opt-in consent to marketing communications, re-opt-in campaigns (as seen in the deluge of emails sent out by companies at the time of the law’s introduction), and the creation of new processes for opt-in consent.

In particular, GDPR contains strict regulations for companies’ privacy policies – how they are written, what they must contain and how they are accessed. The regulations stipulate that the privacy policy must be written in language that is “concise, transparent, intelligible and easily accessible, using clear and plain language”.

It is also necessary to give a “meaningful overview of the intended processing”, explaining exactly how the data collected will be used, such as for advertising purposes.

With all that in mind, let’s look at the Google ruling in some more detail.

The Case: Google’s Breach of the Rules

The CNIL initiated its investigations following two complaints it received against Google in June 2018, very soon after the implementation of GDPR. The complaints were lodged by NOYB and La Quadrature du Net, a group mandated by 10,000 data subjects to file a complaint. They claimed that Google did not have a valid legal basis to process the personal data of its users for the purposes of its user behavioral analysis and ad personalization activities. 

To investigate the complaints, the CNIL initiated a series of online inspections on Google's platform, and ultimately determined that Google had breached fundamental aspects of the GDPR.

Firstly, the CNIL found that Google did not make the relevant data protection notice easily accessible to users, which breached Article 12 of the GDPR. It was ruled that the notice was “not always clear and comprehensive” and only accessible after several steps were taken by users.

Secondly, they found that Google breached Article 13 of the GDPR, as its notice did not comply with the requirement to provide specific, mandatory information to data subjects. The CNIL held that “users are not able to fully understand the extent of the processing operations carried out by Google” as the information provided was “too generic and vague”. It found Google’s processing activities to be “particularly massive and intrusive” due to the multiple purposes for which the company processed personal data. 

It was deemed that users were effectively unable to exercise their right to opt out of data processing for personalization of ads. Users were not asked specifically to opt in to ad targeting, instead being asked simply to agree to Google’s terms and privacy policy en masse.

It was deemed that this did not meet the “specific” threshold of consent under GDPR, as users are giving just one consent to all of Google’s processing activities rather than separate consent for each purpose of processing. 

More Developments, Consequences, and Analysis

Reacting to the ruling, Google said in a statement: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”

For their part, CNIL justified the large fine by noting that the violations were continuous, and still occurring. Notably, it added that Google’s violations were aggravated by the fact that the economic model of the company is partly based on ads personalization, and that it was therefore “its utmost responsibility to comply” with GDPR.

Google’s chief privacy officer Keith Enright has since stated that the company disagrees with the CNIL decision and indicated that they will appeal the ruling in European courts. “We fully expect that there will be ongoing engagement with regulators and, in some instances, there will be issues that are taken to court, probably all the way up to the highest court in Europe to resolve these latent ambiguities within the GDPR as the law evolves,” he said.

While the GDPR forced brands and marketers to make major adjustments to their processes and approach at the time of its introduction, this ruling is highly significant insofar as it’s the first major case of a fine being issued against a digital company under the GDPR – and it was not long in coming, just eight months after GDPR was enforced.

In October, a Portuguese hospital was hit with a €400,000 (US$453,000) fine for two GDPR violations relating to inappropriate access to patient data. That ruling also showed a willingness by the authorities, the Portuguese Supervisory Authority,to enforce the laws, (albeit not on the same scale as the Google case), which ramps things up quite a bit.

Dr Lukasz Olejnik, an independent privacy researcher and advisor, said the Google ruling was the world’s largest data protection fine. “This is a milestone in privacy enforcement, and the history of privacy. The whole European Union should welcome the fine. It loudly announced the advent of the GDPR decade,” he said.

While the €50-million penalty is obviously a substantial sum of money and is eye-catching to commentators and observers, it does not seem to be the most important aspect of this case. For a company with Google’s scale and earning power, the fine itself not severely damaging.

In 2018, Google’s total revenue amounted to US$136.22 billion. Based on that figure, had the CNIL utilized the GDPR penalties to the maximum (4% of annual revenue), the fine could actually have been in excess of US$5 billion, one hundred times the actual fine Google received.

Of greater financial impact, Google was fined €4.3 billion (US$4.9 billion) by the European Commission in July 2018 for abuse of its dominant market position by its Android mobile phone operating systems, in the largest EU anti-trust fine ever. That represents a significant proportion of the company’s annual profits. The commission also previously fined Google €2.4 billion (US$2.7 billion) for abuse of its market position in favoring its shopping services in Internet searches.

With that said, this latest GDPR ruling sets an example and sends out a very clear message that the regulation is being enforced and is to be taken seriously. The data protection authorities are keenly focused on the regulation and protecting individuals from unlawful processing of their personal data.

For Google, the implications of having to amend its data protection processes could prove far more burdensome than the fine itself. There is also the negative publicity to consider, with growing public awareness and scepticism among consumers about their data being used for targeted advertising and the intrusive nature of this. Of course, Google is not alone in this. Facebook has also been rocked by controversy over data privacy in recent months.

With that said, Google still enjoys a very dominant market position as the world’s leading search engine. We have yet to see how the case plays out in the appeals courts, with the tech giant set to defend its practices and procedures there. This is bound to have major ramifications on all sides – for consumers, corporations, and digital marketers. It will be worth keeping track of.

This ruling gave a wake-up call to all enterprises doing business in the EU about the consequences for failing to meet the required standards. For any companies and marketing teams, this ruling has emphasized the need to ensure that their data protection notices are accurate, up-to-date, and are brought to the attention of data subjects properly and appropriately, to stay fully compliant with the GDPR.

Related

• GDPR Short Course with Ardi Kolah
• All About the California Consumer Privacy Act (CCPA)
• Webinar: GDPR One Year On: Enforcement Actions and Consumer Trends
• The Definitive GDPR Checklist for Marketers
• Data Protection: It’s About Reputation, Not Just Regulation