Cybersecurity & Data Privacy

Publications

Google Fined 50 Million Euros for Violating GDPR

January 2019

When the European Union’s (EU's) General Data Protection Regulation (GDPR, discussed in a December 2017 client alert) took effect May 25, 2018, the French data protection regulator, Commission nationale de l'informatique et des libertés (CNIL), which translates to National Information Rights Commission, began investigating Google’s data privacy practices. Now, the CNIL has imposed on Google a €50 million fine (about $57 million), the largest to date under the GDPR, for lack of transparency, inadequate information, and lack of valid consent regarding its personalized ads. Below is a summary of the enforcement action and what it means going forward.

One focus of the GDPR is transparency: it requires that companies clearly explain how data are collected and used. Under the GDPR, companies must also have a lawful basis for processing data, such as user consent. CNIL said that Google’s consent mechanisms were too broad and did not adequately clarify to what users were consenting. Instead, users were largely unaware of what data they agreed to share or how Google used the data. For example, Google’s default setting is to display personalized ads to users. Although this setting could be changed, it lacks clear affirmative consent from a user. Further, Google would not allow users to create an account until they had agreed to its terms and conditions in full.

Although the fine against Google is significant, it is far lower than the maximum penalty allowed under the GDPR, which is 4% of annual worldwide turnover. For Google, that would amount to more than $4 billion. However, being fined under the GDPR can bring other financial repercussions as a result of damage to a company's reputation. Consumers might be startled to learn that a company misappropriates their data, and they might cease using that company’s services.

Few fines have been levied under the GDPR since it took effect, but CNIL’s fine against Google signifies EU member states’ seriousness about enforcing the regulation. GDPR enforcement actions that have not resulted in fines have imposed requirements on companies to become GDPR-compliant or cease non-compliant activity, which also brings other significant costs.

If you need assistance complying with the GDPR, feel free to contact one of our Cybersecurity & Data Privacy attorneys.

Firm Highlights
Client Alert

Important Update – The Corporate Transparency Act: What Small (and Not-So-Small) Businesses Need to Do

More
News

Lewis Rice Kansas City Office Names Four New Members of the Firm

More
Client Alert

Department of Labor Retools FLSA Independent Contractor Rule – Again

More
News

FarmProgress Discusses Rails to Trails Compensation

More
Diversity & Inclusion

BLSA Recognizes Lewis Rice with “Leader in Diversity” Award

More
Client Alert

Federal Funds Available for Energy Investments Powering Up in 2024

More
News

Michael P. Davidson Named to Missouri’s 2024 POWER List in Health Care Law

More
News

Lewis Rice Names Three New Members of the Firm

More
Client Alert

New Hampshire: the 14th State to Enact a Comprehensive Privacy Law

More

Lewis Rice LLC (“we”) use cookies to improve our products and your experience on our websites by evaluating the use of our website and services, to personalize content and ads, to provide social media features and to analyze our traffic. We also share information about your use of our site with our social media, advertising and analytics service providers. For more information, please see our Cookie Policy.

By continuing to browse or by clicking “Accept All Cookies” you direct us to disclose your personal information to these service providers for those purposes and agree to the storing of first-party and third-party cookies on your device.