Strike One: Google fined €50 million as it falls foul of GDPR
- First time the GDPR has been fired at a tech giant
- French data regulator cites “insufficient information” provided to users for consent
- Google says it’s “studying” the decision
Google’s been hit with a €50 million rap on the knuckles by the French data regulator, CNIL, for breaching the EU’s data protection rules.
Backstory: The GDPR was fashioned, not as a heavy-handed piece of bureaucratic overreach, (as some might have it) but rather as a cunningly constructed trap for the arrogant. It’s not a set of don’t do this, this and this guidelines for Internet information gatherers. Instead it lays out the objective of the regulation and tells the companies concerned that they had better construct a simple to understand process by which users, thus fully informed, may consent to the use of their collected data. And they’d better make sure it works, otherwise it’s “see you in court”.
Often, after an adverse finding such as this, an outraged convicted tech giant will immediately announce an appeal. Google hasn’t on this occasion, which may mean that it intends to adjust its GDPR processes and move on in the hope that it eventually gets to a happy place when it isn’t getting hit by fines.
Or, that it will keep on taking the hits until it encounters a more questionable decision when it will march a phalanx of lawyers into court to contest. It may still do that in this case.
It looks at this stage as if the Googles and Facebooks are going to find it hard to comply without a major rethink of their process steps.
According to the French regulator the information an informed user would need is often spread by Google across multiple documents and therefore requires many steps and clicks to get to.
Then there’s the language, often couched in vague and technical wordage not understandable to the average user.
On top of that Google was asking for blanket ‘ticks’ for all instances of a particular ‘processing operation’, while the GDPR explicitly says specific consent must be obtained for each instance of its use in different contexts.
But that’s only half the problem. Even if Google manages complete compliance with its ‘ticks’, there are signs that sites that currently use Google’s user profile-based programmatic ad placement system (and provide Google’s revenues) might have second thoughts and not collect user information at all (see - Is there an end in sight for ‘people-profiling’ online?).
And there are signs that European users are increasingly wary of ticking a huge list of transparent data instances when signing on to sites. They may eventually be drawn to publications and sites which don’t require them, especially when viable alternatives to Google’s services (Gmail and the rest) become apparent.
That could take a while. At present Google’s various cloud services are seen by many as essential. As a friend told me, “I'm currently experimenting with limiting my use of all Google services as far as possible without resorting to living in a cave.” He may not be forced to move in for a while yet.
Stay up to date with the latest industry developments: sign up to receive TelecomTV's top news and videos plus exclusive subscriber-only content direct to your inbox – including our daily news briefing and weekly wrap.