Google hit with £44m GDPR fine – are you compliant?

Google has been fined €50m (£44m) by the French data regulator CNIL (Commission Nationale de l’Informatique et des Libertés, the same as the Information Commissioner’s Office in the UK) for breach of the new (May 18) EU data protection rules (General Data Protection Regulation – GDPR).

CNIL stated that the record fine was levied for ‘lack of transparency, inadequate information and lack of valid consent regarding ads personalisation’.

Furthermore, CNIL has determined that people were ‘not sufficiently informed’ about how Google collected data to personalise advertising.

This ruling follows a referral/complaint under the new GDPR on the date of launch (25th May 2018) claiming Google had not correctly obtained valid legal basis to process data for ads personalisation.

One claim, filed by France’s Quadrature du Net group, on behalf of some 10,000 signatories, accused Google of securing ‘forced consent’ on its Android operating software where pop up boxes implied that you could not use the services without giving that consent.

Despite Google’s European headquarters being based in Ireland, the case was handled by French regulators as those in Ireland had no jurisdiction over Google’s Android software.

The regulator also said Google had confused the issue because ‘essential information’ regarding consent to advertising was ‘spread across several documents’ or after several steps (sometimes up to six actions) and also options to personalise ads included ‘pre-ticked’ permission boxes, which are not allowed under GDPR.

In addition, whilst it is required under GDPR that specific consent is required for each individual purpose, Google had obtained just one consent covering all of its advertising methods such as Google Search, YouTube, Google Maps, Google Play etc.

Google have responded with a statement “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.”

Under previous legislation these breaches would most likely have resulted in a fine of a few hundreds of thousands of pounds.

GDPR is now in place – is your business secure? Have you taken the necessary steps to ensure compliance?

We have previously featured a number of myth busters which are worth repeating below:

It doesn’t affect me – most likely wrong!

GDPR affects every business which collects and uses data, particularly if that data is collected online and for larger businesses this requires them to appoint a Data Protection Officer.

The risks are worth it!

You could always take that attitude, however, you should be aware that to ensure accountability, fines increased from the previous maximum of €500,000 to €20m or 4% of global turnover.

I do not work with Personal Data – most likely wrong!

The EU has greatly expanded the definition of personal data under GDPR, including for example any online identifiers such as IP addresses and including broader economic or cultural information collected.

I already get implied consent to collect and store data so not my problem – most likely wrong!

Under GDPR advertisers must get explicit and informed consent from EU residents.

BREXIT will mean it doesn’t affect the UK – wrong again!

The Government has confirmed that the UK’s decision to leave the EU will not affect this important and far reaching change and this regulation replaced the UK’s previous data protection laws (Data Protection Act 1998).

You could of course read up on the regulation through your own research such as the Information Commissioner’s Office website (use this link:

Or, you could attend one of our training courses to help you, and your staff, understand the regulations and help you identify what your organisation needs to put in place – now!

Focus on Training has pulled together one of the most comprehensive course choices for GDPR, including a number of independently Certified Data Protection & GDPR Training, and Information Security & Cyber Security Training courses.

As well as our range of classroom and online events, we can provide competitively-priced onsite training if you are looking to provide your team with a data protection overview or industry-recognised certification.

Visit us at where you can see the full list of what is available.

Don’t delay, get yourself protected today.