The US tech giant, Google is fined EUR 50 million by France's data protection regulator, CNIL, for failing to comply with its General Data Protection Regulation (GDPR) obligations. This is the biggest GDPR fine yet to be issued by a European regulator and the first time that one of the tech giants has been found in breach with the new regulations that came into force in May 2017.
Complaints against Google were filed in May 2018 by two privacy rights groups: noyb and La Quadrature du Net. According to a statement by CNIL, Google failed to provide enough information to users about its data consent policies and didn't give them enough control over how their information is used. Specifically, CNIL explained that Google had not obtained clear consent to process user data because essential information was disseminated across several documents, and was accessible after several steps only, implying sometimes up to five or six actions. In addition, the option to personalize ads was "pre-ticked" when creating an account, which is contrary to GDPR rules.
This is not the first GDPR fine to have been issued. In December 2017, a Portuguese hospital was fined EUR 400,000 after its staff used bogus accounts to access patient records, while a German social media and chat service was fined EUR 20,000 in November 2017, for storing social media passwords in plain text. Also, a local business in Austria was also fined EUR 4,800 in October last year for having a security camera that was filming public space.
CNIL also stated that it set the fine at EUR 50 million in light of the severity of the infringement, however, if Google does not alter its ways, it can still be hit with further fines for non-compliance. Ultimately, the GDPR's power is not just about monetary penalties, but forcing changes to business models.
Serbia has recently enacted a new Data Protection Law, which presents a copy of the GDPR to a large extent, with its' applicability postponed for 21 August 2019. As a result, Serbian companies will have to ensure the compliance of their data processing operations by that time, which will not be a quick or easy task, as it involves substantial legal, technical and organizational adjustments.