Google Fined 50 Million Euros for Violating GDPR

January 2019

When the European Union’s (EU's) General Data Protection Regulation (GDPR, discussed in a December 2017 client alert) took effect May 25, 2018, the French data protection regulator, Commission nationale de l'informatique et des libertés (CNIL), which translates to National Information Rights Commission, began investigating Google’s data privacy practices. Now, the CNIL has imposed on Google a €50 million fine (about $57 million), the largest to date under the GDPR, for lack of transparency, inadequate information, and lack of valid consent regarding its personalized ads. Below is a summary of the enforcement action and what it means going forward.

One focus of the GDPR is transparency: it requires that companies clearly explain how data are collected and used. Under the GDPR, companies must also have a lawful basis for processing data, such as user consent. CNIL said that Google’s consent mechanisms were too broad and did not adequately clarify to what users were consenting. Instead, users were largely unaware of what data they agreed to share or how Google used the data. For example, Google’s default setting is to display personalized ads to users. Although this setting could be changed, it lacks clear affirmative consent from a user. Further, Google would not allow users to create an account until they had agreed to its terms and conditions in full.

Although the fine against Google is significant, it is far lower than the maximum penalty allowed under the GDPR, which is 4% of annual worldwide turnover. For Google, that would amount to more than $4 billion. However, being fined under the GDPR can bring other financial repercussions as a result of damage to a company's reputation. Consumers might be startled to learn that a company misappropriates their data, and they might cease using that company’s services.

Few fines have been levied under the GDPR since it took effect, but CNIL’s fine against Google signifies EU member states’ seriousness about enforcing the regulation. GDPR enforcement actions that have not resulted in fines have imposed requirements on companies to become GDPR-compliant or cease non-compliant activity, which also brings other significant costs.

If you need assistance complying with the GDPR, feel free to contact one of our Cybersecurity & Data Privacy attorneys.

Firm Highlights
Client Alert

Colorado Joins the Bandwagon, Enacts Comprehensive Privacy Law

More
News

Jeremy P. Brummond Presents at Webinar for Experienced Construction Attorneys

More
Client Alert

Supreme Court Limits Ability to Compel Access to Private Property Without Compensation

More
Client Alert

Missouri Supreme Court Reverses Overtime Wages Judgment Resulting from Employer-Mandated Screenings Under the Portal-to-Portal Act

More
Client Alert

FTC Adds Teeth to the ‘Made in USA’ Rule

More
News

A Lawyer’s Guide to the Galaxy Podcast Named Among Best Copyright Law Podcasts for 2021 by Welp Magazine

More
Client Alert

The Changing Workplace Following the Latest CDC Mask Guidance

More
Client Alert

EEOC Issues Updated Guidance on COVID Vaccination Policies

More
Diversity & Inclusion

Law Firm ILN-telligence Podcast Hosts Ronald A. Norwood to Discuss Mentorship, Diversity & Inclusion in the Legal Industry, and the Importance of Equity for All

More
Client Alert

Missouri Supreme Court Holds that Public Governmental Bodies May Not Charge for Attorney Review Time

More
News

Michael D. Mulligan, Mysun Charitable Foundation Recognized at Greensfelder Park Ribbon Cutting Ceremony

More
Diversity & Inclusion

Lewis Rice Launches “Next Level” Diversity and Inclusion Programs

More
Client Alert

DOL Publishes Cybersecurity Guidance for Benefits Plans

More
News

Lewis Rice Welcomes 2021 Summer Associates

More
Client Alert

CROWN Act Legislation on the Verge of Passage in St. Louis City & County

More
Client Alert

Supreme Court Hands Down Unanimous Decision Limiting FTC’s Ability to Seek Monetary Relief

More
Client Alert

The New Standard Contractual Clauses: Scope, Impact, and Next Steps

More
Client Alert

First-Issued Interim Final Rule Gives Guidance on No Surprises Act

More
News

Claims Filed for Compensation in North Carolina Ecusta Trail Rail-to-Trail Case

More
News

Jeannine Moentmann Becomes President of St. Louis Paralegal Association for 2021-2022

More