Privacy Regulator Fines Google $57 Million

France’s data privacy regulator, The National Data Protection Commission, fined U.S. tech giant Google €50 million ($57 million), the initial CNIL penalty under the EU’s General Data Protection Regulation.

CNIL said it fined Google for “lack of transparency, inadequate information and lack of valid consent” regarding advertising personalization for users. It’s one of the heftiest enforcement actions since the GDPR came into play in May 2018.

The GDPR rules are aimed at protecting the harvesting of personal data by companies, which must use plain language to explain their actions. The regulatory body claims that Google failed to obey GDPR when new Android users set up a new phone and followed Android’s onboarding process.

The commission responding to complaints by two data protection advocacy groups, None of Your Business and La Quadrature du Net, filed immediately after GDPR took effect. In the two complaints, the associations censured Google for not having a valid legal basis to process the personal data of the its users, particularly for ads personalization purposes.

Google, whose parent company Alphabet reported $33.7 billion in revenue in its most recent quarterly report, said in a statement it is “deeply committed” to transparency and user control as well as GDPR consent requirements. “We’re studying the decision to determine our next steps,” it said.

“Google being fined for its noncompliance with GDPR will likely pave the way for penalties for other prolific companies that have not yet met the demands of the new law.” Anurag Kahol, CTO and co-founder, of Campbell, Calif.-based Bitglass, which provides data and threat protection, held. Kahol noted until this point, data protection authorities have been incredibly patient with companies. “It seems this grace period is more or less passing. While Google may be able to absorb this financial penalty, other companies are likely not large or successful enough to do so. This instance should be a wakeup call for organizations everywhere to begin taking data privacy far more seriously.”

Jonathan Bensen, interim chief information security officer for San Jose, Calif.-based Balbix, which provides a breach avoidance platform, did not agree with the penalty. “CNIL’s decision to fine Google does not seem to be aimed towards solving the issue, but towards making money. Most people should be aware that if they want enhanced digital services, they must pay the price of giving some reasonable amount of privacy away.”

Bensen claimed If CNIL wanted to take a step in the right direction, they should suggest Google change the language in its Terms of Service versus imposing a fine without offering a solution. “While it is possible to run an Android phone without a Google account, it makes it almost unusable.” Bensen said the same argument can be made about iPhones and needing an account with Apple.

Greg Sparrow, SVP and general manager at Duluth, Ga.-based CompliancePoint, which provides compliance and risk mitigation, explained, “Clearly U.S. businesses are not immune to privacy regulation in Europe. If there was any doubt, look to Google’s fine under GDPR. The largest fine yet to be imposed is being levied against one of the largest technology brands in the world. Make no mistake, European regulators are sending a message to Silicon Valley, fully comply with European privacy regulation or face the ire of regulators.”

Sparrow itemized the fines so far under GDPR so far:

• $5,472 for a security camera filming in a public space.
• $22,800 for failure to adequately protect user passwords.
• $456,000 against a hospital for using fake accounts to access patient records.
• $56.8 million against Google for failure to gain adequate consent and give control to users on how their information is used.

Sparrow advised the landscape for privacy regulations is ever changing in both Europe and in the U.S. “Less than a year ago, European regulators would not have been able to issue this fine.”

Credit unions in the U.S. are likely going to have to comply with GDPR if they have any members (even if it is only one or two) who moved to Europe or live in Europe. The same goes for European Union citizens, with credit union accounts, studying in the U.S.

In addition, the California Consumer Privacy Act of 2018, passed into law reportedly will provide Californians with a level of protection comparable with the EU’s GDPR. will be enforceable in 2020.

CCPA does apply to credit unions, banks, savings and loans, credit card companies, insurance companies and other financial service companies; and allows consumers to put limits on what financial companies can do with personal financial information.

Sparrow warned companies not addressing issues of consumer privacy and compliance with GDPR and CCPA are quickly falling behind industry trends and will likely become the focus of enforcement actions.

Sparrow suggested to comply with GDPR and CCPA organizations should start focusing on consumer facing interactions and privacy policies. “Make sure data processing disclosures are clear, unambiguous and located in one place. Organizations must ensure that they have a clear legal basis for processing user data, work with legal counsel or privacy professionals to establish this.” Understanding the detailed data flows and sharing of information with third parties is also of critical importance. “Organizations should look to establish a cross functional team/task force to properly address the enterprise wide impact these regulations will have.”