Industry experts have commented on the decision by a French regulator to fine Google €50 million over data protection concerns.
The CNIL issued the fine under GDPR rules highlighting a ‘lack of transparency, unsatisfactory information and lack of valid consent for the personalisation of advertisements’.
A spokesperson for Google said: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”
In its decision notice, the CNIL stated that two complaints were received last May from two groups – None Of Your Business (‘NOYB’) and La Quadrature du Net (‘LQDN’).
Ryan Kalember, SVP, Cybersecurity Strategy, Proofpoint
This GDPR fine brings to light some vital lessons for other businesses observing this crisis from a distance. By becoming the highest fined company since GDPR came into force, Google is now the black and white case study of ‘what could happen’ in the event of non-compliance. In a privacy-first world, companies must build a people-centric compliance strategy, which can only start by getting visibility into highly regulated data, the systems that process that data and identifying who within your business has access to that data.
Many organisations are still unsure whether their GDPR compliance strategy is 100% fit for purpose, but this incident signals that long gone are the days where privacy can be relegated to an IT or compliance effort: the magnitude of this fine clearly shows this is a business issue. Compliance professionals now have a use case to take to the board to secure any funding and resources they need to become GDPR compliant if their organisation isn’t today.
Paul Farrington, Director of Solutions Architecture (EMEA) at Veracode
The fine against Google is an indication of the serious focus on privacy and security by regulators. Global enterprises must take steps to ensure security hygiene and compliance with standards to reduce their risk and protect data.
GRC Practice Director, Alex Hollis, SureCloud
The CNIL has certainly lived up to its reputation around matters for data protection in taking action. Since last May we have seen the dip following the initial interest and have been expecting these legal cases to emerge.
The scale of the fine for Google is not the 4% which is allowed under the regulation, which must go some way to acknowledging the steps and controls that Google has taken. It should certainly serve as a caution to those who don’t have the legal protection that Google has.
Bharat Mistry, Principal Security Strategist at Trend Micro
This just goes to show that even the big technology firms are struggling with the tightening regulatory and compliance regimes that the EU has put in place to protect EU citizens data. This fine will be a wake-up call for the tech giants and any other company that is collecting and hoarding mass amounts of personal data without applying due care and attention to the protection, retention and safe disposal of the data once it is no longer required.
Fouad Khalil, Vice President of Compliance at SecurityScorecard
The new year is upon us, as is GDPR enforcement and fines. Companies that have sat back and watched the privacy tidal wave hoping that it will miss them should reconsider. As with any new regulation, most companies scramble to comply once they realise the ramifications are real.
We are learning that no one is beyond GDPR reach – Google was fined €50 million due to people ‘not [being] sufficiently informed’ about how Google collected data to personalise advertising.
This is the first large fine by a GDPR regulator. Given the fact that it was the French privacy watchdog (CNIL) that issued the fine is no surprise. CNIL is the only regulator that issued any kind of GDPR compliance guidance in an effort to shed light on compliance requirements. Even though Google’s European headquarters is based in Ireland, that did not stop GDPR watchdogs from transitioning the enforcement to France where it is considered to be more effective.
The regulator indicated that Google provided inadequate information to its consumers as well as had invalid consent for personal data use. This confirms how critical an accurate and up-to-date personal data inventory is. Organisations must ensure all data is properly identified, classified, processed, transmitted, consented for use and much more. Furthermore, point-in-time compliance does not cut it as continuous assurance (monitoring and auditing) is a must to ensure ongoing compliance.
In today’s world, managing privacy has become the norm as regulators, auditors and privacy rights groups are keeping a watchful eye. Slapping Google with such a large fine is only possible due to confirmed violations most surely reported by consumers and privacy rights groups. I suspect this will be the first of many to follow in 2019 as GDPR compliance is now in the enforcement phase.
Matt Walmsley, EMEA Director at Vectra
And so CNIL, the French supervisory authority flexes its muscles and Google is the first big scalp for GDPR fines. Others will follow.
User experience and clarity in terms and conditions have been used to remind us that data management and use are just as important as data security within GDPR. I’d expect Google to challenge the ruling and we may see the conclusion produce an important test in law that will bring clarity around GDPR implementation for others.
Matt Lock, Director of sales engineering at Varonis
The new fine facing Google will quickly dispel any lingering doubts that the EU would go easy on companies found in violation of the GDPR. The news should be hitting companies like a cold shower. It’s not a stretch to say that a proverbial storm is gathering as privacy groups rally to their cause and seek to uphold major global companies as examples of lax privacy controls. The news should serve as an impetus to organisations that have yet to prioritise their GDPR compliance programmes and hoped to simply fly under the radar – their luck may be running out soon.