When the General Data Protection Regulation (GDPR) was introduced last year, giving regulators the ability to levy big fines of up to four per cent of turnover for non-compliance, it was only going to be a matter of time before a company got caught out.
It is perhaps surprising, however, that one of the first to be fined under the legislation is search giant Google. French regulator CNIL has fined Google €50m (around £44 million) for failing to notify users about how their data is used.
What did Google do wrong?
The fine was levied for a number of different reasons. Firstly, Google has fallen foul of transparency rules because information as to how data is used to personalise adverts is spread across a number of documents and some of it is not ‘clear or comprehensive’ according to the regulator.
Secondly, Google didn’t obtain consent for delivering personalised ads in a valid way. User consent, according to the regulator, was not sufficiently informed because it was difficult to find the appropriate information across multiple documents.
In addition, among the options offered when creating a Google account, the advert personalisation box is pre-checked, something frowned upon under GDPR. The fine relates specifically to creating a Google account on Android.
CNIL says, “The amount decided, and the publicity of the fine are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.” [1]
Google says it is ‘studying the decision’ before deciding how to respond.
More to come..
While this is the first major GDPR fine, it is unlikely to be the last. Indeed Swedish regulator Datainspektionen has revealed that it is launching an investigation into Google over the collection of location data relating to Android users.
The complaint says that Google uses design that is deceptive, information that is misleading and pushes repeatedly to persuade Android users to allow constant tracking of their movements via their device.
The regulator has sent a letter to Google asking for additional information and the answer to a number of questions by the 2nd of February. [2] Specifically, it wants to find out how many Swedish citizens have had their data captured and how much location data is gathered on each individual throughout the day. It also wants to know the legal basis for processing the data and why it’s being collected.
Streaming services have come under scrutiny too. Technology giant Amazon along with, Apple, Netflix and Spotify, are all facing complaints from privacy group noyb [3] that although they allow customers to download details of the personal information that is held, some of it is in a format that is not easily understood. Some of the streaming companies also failed to supply extra data such as details of other companies with which consumers’ data is shared.
Complaints have been filed by noyb with the Austrian data protection regulator which could result in fines being levied against the streaming services if they are upheld.
What does this mean for the rest of us?
It’s quite simply a brutal wake up call. Whilst it is easy to sit on the sidelines thinking this will never happen to me, it shows that GDPR has to be taken seriously regardless the size of your business.
While the investigations into Google and into the streaming services are focussed on privacy, it is likely that security will increasingly fall under the spotlight of the regulators too, especially the next time we see a major breach occur where personal data is leaked. Businesses must take security of their systems seriously and ensure that they protect their customers’ data.
With the majority of businesses using Microsoft in some shape or form, becoming GDPR compliant is easier than you think. Both Windows and the Office 365 suite of products have a host of features that make it easy to discover, manage, protect and report on data that you hold and process.
Cloudworks are a Microsoft Gold Partner and experts in cloud security and upgrading businesses from legacy systems to the latest Microsoft products. We have supported numerous companies with just 10 users to over 30,000 users on using Microsoft cloud products and security. If you’d like to know more – please call us on 0115 824 8244 or email us at hello@cloudworks.co.uk
[1] https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc [2] https://www.datainspektionen.se/globalassets/dokument/ovrigt/google—request-for-reply-and-further-clarification—skrivelse-till-tillsynsobjekt.pdf [3] https://noyb.eu/access_streaming/