Google fined for data misuse, are you GDPR compliant?



Jennie Alger, Trainee solicitor, Corporate Commercial

Further to our article on the General Data Protection Regulation (GDPR) that was introduced in the UK by the European Union on 25th May 2018, we wanted to share with you an example of how the new rules work in practice as a warning of the consequences of non compliance.

Google has recently been fined €50 million by the French data regulator CNIL, for breaching GDPR rules. The fine was issued for a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation” because people were “not sufficiently informed” about how Google collects data to personalise advertising. Issue was also found with the disparities in the company’s data policies spanning over different EU countries. Google has since revealed that it will be appealing the fine.

GDPR shows a new era in privacy enforcement and this fine shines a light on how the GDPR rules will work in practice, especially in respect of companies that rely heavily on gathering and processing data to make money. It is fundamental under the new GDPR principles that users must OK each specific use of their data and this cannot be ambiguous.

These enhanced transparency requirements build upon data subjects existing rights under the Data Protection Act 1998, which begins at the data collection stage and applies throughout the life cycle of processing. GDPR does not prescribe the format by which information should be communicated to data subjects; however data controllers should take ‘appropriate measures’ to provide such information in a transparent way.

If you think this practical development applies to your business, we would strongly recommend reviewing your consent practices to see if they need to be adapted. Google isn’t the first and most definitely won’t be the last in proving that superficially adapting your products won’t be enough.

For more information or guidance on the GDPR requirements, including a review of your current data protection documents, terms and conditions and contracts between data controllers and processers,  contact the Mogers Drewett Corporate Commercial team who will be happy to assist you.