This week Google has become the first company to receive a major fine after being found in significant breach of the General Data Protection Act (GDPR). The search giant received a penalty of €50m (around £44m) from French data regulator CNIL for a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”. Complaints were submitted by two privacy rights groups claiming that Google had breached GDPR in several instances:

  • It had not determined a valid legal basis for processing data – consent being just one of six under GDPR
  • Users were not fully informed on what they were granting consent for and the data being collected by Google, particularly in relation to targeted advertising and speech recognition
  • Details of the level of personalisation used by Google were disclosed over the course of several pages and up to six user actions, in contravention of GDPR’s transparency principal
  • Consent was “forced”, leading users to believe that they could not continue to use Google’s services unless they opted in
  • Pre-ticked boxes were in use at the point of sign up


So what does this ground-breaking action mean in our new data protection landscape; will we now be seeing fines handed out more frequently and on a larger scale? Well, yes and no…

It was long assumed that one of the ‘big boys’ of the online space would be the first to receive a hefty penalty to set an example; spectators didn’t have to wait long, as the first complaint against Google was on 25th May 2018 – GDPR’s first day of enforcement. The action against Google is a clear indicator that regulators will use their increased fining powers if needed, in particular against the major players who should now be tripping over themselves to put their users at the heart of their compliance programmes.

Just last week complaints were filed against Apple, Amazon, Netflix and Spotify on the grounds that none had responded to the GDPR’s ‘right to access’ clause in a satisfactory manner – incidentally, by none other than NOYB (‘None Of Your Business’, to those not in the know), who submitted the first claim against Google. And it would be remiss not to mention Facebook’s €10m fine in December for not being clear with Italian users that their data can be used for the company’s financial gain.

As we approach the GDPR-iversay on 25th May, tech giants should eliminate the idea that all has gone quiet and it’s ‘business as usual’; Google’s penalty should be a strong wake up call to anyone in violation.

The reality for many smaller enterprises, however, is that the Information Commissioners Office (ICO), in charge of upholding information rights in the interest of the UK public, have been keen to state that they prefer the carrot to the stick. Instead, Elizabeth Denham’s office have consistently issued the message they are here to support organisations in their data processing activities; to this day the ICO has only issued one fine to the maximum of its powers – to Facebook (although, disappointingly for many commentators, the complaint was issued prior to GDPR thus meeting DPA 1998 fine limits).

For now, Google has commented that it is “deeply committed to meeting those expectations and the consent requirement of the GDPR” and that it is now “studying the decision”. In reality, €44m is a drop in the ocean for a colossal empire like Google. Their share prices fell heavily when the fine was announced, but just 12 hours later have bounced back up and sit just -0.68% on pre-penalty amounts. Additionally, there is little consumer commentary on the issue so far, suggesting that, while it may have suffered a bruised ego, it’s very much business as usual for Google while it decides its next move.

Meanwhile, all eyes turn to the ICO for an update on their ongoing investigation into Facebook…

Aimee Bishop, Group Data Manager