Google Fined $50 Million for a GDPR Violation in France


Back in 2018, the European Union announced the General Data Protection Regulation. In some ways, that regulation was extremely prescriptive, which led me to believe that it might not be enforced. But on the contrary. Google was fined approximately $56.8 million for failing to comply with its GDPR obligations. This is the biggest fine to be issued by the EU and its the first time that one of the tech giants has been found guilty.

But before I get into that, let me remind you about the GDPR. It has been 8 or so months since it became a regulation. While not revolutionary, the GDPR is a set of rules designed to give EU citizens more control over their personal data. It aims to simplify the regulatory environment for business so that both citizens and businesses operating in the EU can benefit for the digital economy. More specifically, the regulations are designed to ensure that companies (social media companies, banks, retailers and even governments) don’t misuse your personal data.

If they do, under a security breach, for example, there will be consequences. More specifically fines.

And that is what brings us back to Google. Google was fined by France’s data protection regulator CNIL. The fine was issued because Google failed to provide enough information to users about its data consent policies and didn’t give them enough control over how their information was being used. But is that enough of an infraction to warrant such a hefty fine? According to the regulator, these violations haven’t been rectified by Google, which is why the fine was leveraged. Under the GDPR, companies are required to gain the user’s “genuine consent” before collecting their information. This means making consent an explicit opt-in policy, that allows people to easily withdraw. This sounds like a great way to protect people’s privacy. Will it ever come to the United States?

Is this fine a little large? I mean yes and no. Technically the GDPR can issue higher fines. In fact, Google could have been fined up to 4% of its annual global turnover for the offense. In the fourth quarter of 2018, Google made $33.74 billion! If that was the average, that could have been their total fine for what might seem like a small infraction. Earlier, I indicated that the GDPR didn’t seem like it could be enforced because some of its policies seemed so far fetched. But I was completely wrong.

Google isn’t the first company who has been fined, but it certainly is the biggest. In December, a Portugese hospital was fined after its staff used fake accounts to access patient records. A German social media and chat service was fined in November for storing social media passwords in plain text. Lastly, a business in Austria was also fined for having a security camera that was filming a public space. None of these leveraged the kind of fine that Google is facing, but they were fined, nonetheless. And of course, the amount of fines in most of these infractions seems to fit the “crime” so to speak.

So why go after Google so harshly? My guess is two fold: they have the money to be able to pay the fine, and it also sends a pretty harsh message. Google has responded to the fine indicating that they are “deeply committed to meeting the high standards of transparency and control”. They are also saying that they are studying CNIL’s decision in order to determine its next steps.