French regulators throw the first big GDPR punch at Google with £44m fine

Google has fallen foul of the French data regulators with the announcement yesterday of an impressive £44m fine against the global search engine giant.  In a move that has sent the tech industry chattering, this marks the first major European penalty since the rollout of GDPR on 27th May 2018.  It was going to happen sooner or later, it was just a matter of who first?

Google’s blunder was their covert process of gathering data to personalise ads without ‘sufficiently’ informing user, burying the detail in terms and conditions and using pre-ticked boxes (contrary to new legislation).

CNIL, the French equivalent of the UK’s Information Commissioner’s Office filed two complaints as soon as GDPR came into effect.

Commenting on the severity of the fine, CNIL advised that the action was “justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent”.

The penalty is the largest to date under the European Union privacy law, known as the General Data Protection Regulation, which took effect in May, and shows that regulators are following through on a pledge to use the rules to push back against internet companies whose businesses depend on collecting data.

The fine announced on Monday is far lower than the maximum penalty under the European privacy law, which is 4% of global revenue. For Google, that would be more than $4 billion!

The response has been largely welcomed in the wider MSP community as a prompt to improve better marketing processes, echoed by Amicus ITS.  Like many others today, Amicus ITS uses Account Based Marketing, so the lawful consent required is applied directly with the customer.

The news is a salutary reminder for vigilance with firms to ensure they comply with GDPR and offer flexibility in providing services through different marketing channels that create the variety and correct routes for data capture through websites and other means (which these days is translated as the increase in companies offering AI chatbots when communicating services or offering information with 3rd parties).

Are you surprised by the fine?  Who do you think is going to be next up for punishment?  Give us your thoughts.

Google’s “ne m’oublie pas” hit by Europe’s desist and delist world ruling as “right to be forgotten” issue rumbles on

logo-cnil

France’s privacy regulator, the CNIL, has rejected Google’s request that the “right to be forgotten” ruling on their websites should only remain restricted to Europe domain names, vs applying to all Google websites worldwide.

The decision requires Google to close a loophole that enabled searchers to defeat a judgment by the Court of Justice of the European Union (CJEU) last year, whereupon they removed results from more localised sites such as google.fr, google.co.uk etc, but continued to display disputed links on google.com.   The French regulator stated Google’s various domain names were just “different paths to the same processing operation”, making it easy for users to circumvent the block.

As we widely reported in our blogs in May 2014, the CJEU recognised the right to be forgotten, thus allowing people to ask search engines not to display certain links if they requested, following a search on their name.

Based on the original Spanish ruling, the upshot from the Spanish court was not to erase the original searches, but make them far harder to find.  The desire and drive for data privacy was duly thrown into conflict with the arguments for freedom of speech and public interest.

It’s essentially one of the inevitabilities for society when citizens have access to such an incredibly powerful search tool at our fingertips, which today’s younger generation greedily take for granted.  It’s only a generation ago in pre Google days before 1998, when people would have had to resort to books and library articles to comb paper archives to get the information they wanted.  We move now at such lightning pace with technology that we must always be mindful about some of the downsides of this technology and fully maintain our corporate responsibilities surrounding data privacy, or pay the heavy penalties.

For a business a privacy breach might prompt a penalty of up to 5% of their global profits, however, in the EU regulation ring, there is a seemingly weak trust from the particular CNIL sword.  After four months, the French national threat is limited to “discussing appointing someone to report to its sanctions committee with a view of obtaining a ruling on this matter”.

With 500 million EU citizens, there is a mess of different legal regimes, making it hard for European businesses to work towards.  This is what the new EU Data Protection Regulations hopes to cure, if the EU stakeholders can agree the text.  It would certainly be a stimulant to Google if it knew it had one Euro privacy regulator to deal with and 5% of ITS turnover at stake if it broke the rules.  It seems a long way off, but organisations should consider data security and data protection as amongst their highest priorities looking ahead.