MAKE AN ENQUIRY
Doncaster Office
Sheffield Office

Google faces £44 million GDPR fine

04 February 2019
GDPR fine

The BBC have recently headlined that Google have been fined 50 million Euros (£44 million) by French data regulator CNIL, for a breach of the EU's data protection rules.

CNIL state that Google has failed to acquire their users’ ‘genuine consent’ as the option to receive personalised ads is currently ‘pre-ticked’ when creating an account. Meanwhile, General Data Protection Regulation (GDPR) requires that consent be explicitly opted into by an individual and easy to withdraw from.

CNIL also argue that there is a ‘lack of transparency’ as Google’s data usage information is fragmented over multiple documents, which makes it difficult for individuals to see what their personal data will be used for.

You may be forgiven for thinking ‘Well this fine happened in France not England so how does this impact us?’. One goal of GDPR is to standardise the protection across the EU that people have in relation to their data protection rights. It is more than likely that the UK regulator for data protection breaches, the Information Commissioner Office, will take note and follow suit to be consistent with other regulators.

GDPR was brought in on 25th May 2018 to amend previous data protection law. This change in the law gave further protection to individuals and increased the possible fines for breach of data protection regulation by an organisation.

Previously the maximum fine in the UK was £500,000. This can be seen in 2018, prior to GDPR enactment, when Facebook was subject to a £500,000 fine for failing to ensure that Cambridge Analytica had deleted users' data. This amount will have minimal impact on a large, global entity such as Facebook. Meanwhile the larger fines now allowed, such as that faced by Google, may serve as a deterrent to large companies and ensure compliance when considering data protection regulations.

Smaller organisations and companies are also subject to GDPR and thus may be fined if they do not adhere to the law in this area. Whilst a smaller company is unlikely to incur fines of a similar scale to that currently faced by google, a fine of 0.05% of that faced by Google would still amount to £22,000.

Understand your data protection obligations as a data controller with Taylor Bracewell:

As a data controller there are several obligations placed upon you regarding the, collection, storage and usage of individuals’ personal data. These include but are not limited to:

  • Gaining the explicit consent of an informed data subject.
  • Using data in a lawful, fair and transparent manner and for a legitimate purpose.
  • Having adequate technical and organizational information security in place.
  • Having appropriate policies in place and conducting data protection audits where appropriate.
  • Paying any applicable fees to register as a data controller.
  • Maintaining detailed records regarding all data usage.
  • Adhering to strict data breach notification rules.
  • Potential obligations to appoint a Data Protection Officer.

For advice on your rights and obligations regarding data protection, or if you would like to speak to a data protection expert, please do not hesitate to contact 01302 341414.

 The BBC have recently headlined that Google have been fined 50 million Euros (£44 million) by French data regulator CNIL, for a breach of the EU's data protection rules.

CNIL state that Google has failed to acquire their users’ ‘genuine consent’ as the option to receive personalised ads is currently ‘pre-ticked’ when creating an account. Meanwhile, General Data Protection Regulation (GDPR) requires that consent be explicitly opted into by an individual and easy to withdraw from.

CNIL also argue that there is a ‘lack of transparency’ as Google’s data usage information is fragmented over multiple documents, which makes it difficult for individuals to see what their personal data will be used for.

You may be forgiven for thinking ‘Well this fine happened in France not England so how does this impact us?’. One goal of GDPR is to standardise the protection across the EU that people have in relation to their data protection rights. It is more than likely that the UK regulator for data protection breaches, the Information Commissioner Office, will take note and follow suit to be consistent with other regulators.

GDPR was brought in on 25th May 2018 to amend previous data protection law. This change in the law gave further protection to individuals and increased the possible fines for breach of data protection regulation by an organisation.

Previously the maximum fine in the UK was £500,000. This can be seen in 2018, prior to GDPR enactment, when Facebook was subject to a £500,000 fine for failing to ensure that Cambridge Analytica had deleted users' data. This amount will have minimal impact on a large, global entity such as Facebook. Meanwhile the larger fines now allowed, such as that faced by Google, may serve as a deterrent to large companies and ensure compliance when considering data protection regulations.

Smaller organisations and companies are also subject to GDPR and thus may be fined if they do not adhere to the law in this area. Whilst a smaller company is unlikely to incur fines of a similar scale to that currently faced by google, a fine of 0.05% of that faced by Google would still amount to £22,000.

Understand your data protection obligations as a data controller with Taylor Bracewell:

As a data controller there are several obligations placed upon you regarding the, collection, storage and usage of individuals’ personal data. These include but are not limited to:

  • Gaining the explicit consent of an informed data subject.
  • Using data in a lawful, fair and transparent manner and for a legitimate purpose.
  • Having adequate technical and organizational information security in place.
  • Having appropriate policies in place and conducting data protection audits where appropriate.
  • Paying any applicable fees to register as a data controller.
  • Maintaining detailed records regarding all data usage.
  • Adhering to strict data breach notification rules.
  • Potential obligations to appoint a Data Protection Officer.

For advice on your rights and obligations regarding data protection, or if you would like to speak to a data protection expert, please do not hesitate to contact 01302 341414.

For anything else you are in need of get in touch with our solicitors Doncaster. Get in touch.