France issues Google with the heaviest GDPR fine to date

Europe data protection

Google has been hit with a landmark 50 million GDPR fine, issued by the French privacy Watchdog CNIL - the largest in the GDPR's history.

The fine was issued following complaints made by two organisations, noyb (None of Your Business) and LQDN (La Quadrature du Net), back in May 2018 relating to Google's 'forced consent' to continue processing users' data.

Specifically, the complaint related to Android users who, when setting up a new Android phone, were forced to follow Android's onboarding process which included forced consent for the processing of their data. Both groups said Google had no legal basis to process the personal data of its users "particularly for ads personalisation purposes".

GDPR requires the data controller to provide its users with the option to opt-in to have their data processed whereas, before the regulation's implementation, users were required to opt-out.

"This is the first time that the CNIL has applied the new maximum penalties provided by the GDPR. The amount withheld, and the advertising of the fine, at first justified by the seriousness of the deficiencies that affect the essential principles of GDPR: transparency, information and consent," CNIL said in a statement.

The maximum fines for GDPR are 20 million or 4% of the company's annual turnover, whichever is greater. In this case, Google could have theoretically faced a maximum fine of almost 4 billion.

While 50 million is pocket change compared to the potential maximum fine that could have been issued - especially since 50 million was just 0.0005% of Google's annual turnover for 2017 - some believe it does at least show that GDPR is being taken very seriously by the powers that be.

"The new fine facing Google will quickly dispel any lingering doubts that the EU would go easy on companies found in violation of the GDPR," said Matt Lock, director of sales engineering at Varonis.

"The news should be hitting companies like a cold shower. It's not a stretch to say that a proverbial storm is gathering as privacy groups rally to their cause and seek to uphold major global companies as examples of lax privacy controls.

"The news should serve as an impetus to organisations that have yet to prioritise their GDPR compliance programs and hoped to simply fly under the radar - their luck may be running out soon."

The landmark fine was justified by Google's lack of action following the claim. CNIL said that the violations are continuing to this day and are ongoing violations of the GDPR.

Schrems takes no prisoners

The privacy group noyb lead by Austrian lawyer and privacy advocate Max Schrems has also made the headlines for filing a further eight GDPR complaints on behalf of 10 users on Friday.

The companies in noyb's crosshairs include Amazon, Apple, Netflix, SoundCloud, Spotify and YouTube. The complaints were filed under alleged violations of Article 15 of the GDPR which relates to the users' right to access their own data.

"Many services set up automated systems to respond to access requests, but they often don't even remotely provide the data that every user has a right to," said Schrems.

"In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of users' rights, as these systems are built to withhold the relevant information."

Credit: noyb

The privacy group tested the aforementioned companies to see how well they complied with the specific requirement of GDPR "but no service fully complied," it said.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.