HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Google Hit With €50 Million GDPR Violation Penalty

Google has been hit with a €50 million Euro ($56.8 million) GDPR violation penalty, the largest GDPR violation penalty issued to date.

The French GDPR supervisory authority, the National Data Protection Commission (CSIL), investigated suspected GDPR violations after receiving complaints from two privacy rights groups; La Quadrature du Net and noyb. The first of the complaints was filed on the GDPR compliance deadline, May 25, 2018.

The complaints were related to how Google processes user data for the personalizing ads. It was argued that Google did not have a valid legal basis for processing user information and had not obtained clear consent to do so.

While information about its data processing activities has been made available to users, the information is spread across several documents, so it is unclear to consumers how personal data is being processed. According to CSIL, a consumer would need to take five or six actions in order to find out essential information about Google’s processing activities related to personalized ads and, as such, users would not be able to understand how Google was processing their data.

While consent was obtained, the consent form was pre-checked, requiring users only to click to accept, which is also a violation of GDPR. When obtaining consent, users are required to manually tick check boxes when providing consent. Consent must be clearly provided through an explicit opt-in process.

The lack of transparency about how user data will be processed in relation to serving personalized adverts left consumers in the dark about the “particularly massive and intrusive” data processing that takes place in order to serve personalized ads, according to CSIL.

The extent of the GDPR violations, which are ongoing, warranted a substantial fine. The maximum penalty for serious violations of GDPR is €20 million ($22.73 million) or up to 4% of global annual turnover, whichever is greater. While the €50 million fine is substantial, it falls well short of the maximum possible fine that could have been issued: Around $4.4 billion based on an annual turnover of $110.8 billion in 2017.

The complaints to the CSIL are just two of many that have been filed against Google since the GDPR compliance deadline. Complaints have been submitted by consumer groups in several EU countries over what are viewed as deceptive privacy practices. If those complaints are substantiated, further fines can be expected.

Google has responded to the fine by issuing a statement confirming that it is deeply committed to meeting the high standards of transparency, control, and consent that is required by GDPR and will be studying the decision of CSIL to determine what steps must be taken next.

The substantial GDPR violation penalty sends a message to large technology firms and other entities that collect or process the data of EU residents that compliance with all aspects of GDPR requirements is mandatory and violators will face severe fines for noncompliance.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.