The French committee Commission Nationale de l’Informatique et des Liberté (CNIL) imposed a financial penalty of 50 million euros against Google for violating users’ privacy. This must sting a bit.
It is the first time that CNIL has fined a company under the EU’s General Data Protection Regulation. And it is the first time Google has been fined under GDPR, the largest fine to date. But it is not the first fine, and it won’t be the last.
It is clear GDPR is being taken seriously. The question is, who is next? Given the fact that many companies were not ready for the deadline on May 25th last year, I can imagine many are trembling with fear.
So what was Google’s mistake? The CNIL found that users’ privacy was violated in several ways: It was too difficult for users to find essential information, like data-processing purposes, data storage periods or categories of personal data used for advertising personalization. This is because the data was split across multiple documents, help pages, and settings screens.
The lack of clarity made it difficult for users to opt-out of their data being processed for the personalization of ads. The information wasn’t always clear or comprehensive – and Google didn’t always inform users how long it would retain their data. Even when Google collected user consent for opt-ins, the company didn’t meet the GDPR standards.
Actually, it’s no surprise that the new laws hit a company like Google – one that lives on processing private data. But it sends a signal and other cases will follow. Complaints against Facebook, Instagram, etc. are on their way. There is a thin line between providing enjoyable social media and Web services and protecting the users’ privacy. On the other side, other businesses – maybe smaller or with less know-how – shouldn’t feel too safe and hide in the Google giant’s shadow. Every company handles private data in one way or another, even if is not immediately visible. The Google example should be a clear warning to get GDPR compliance in hand ASAP.