GDPR Fines: Blood in the water. Who’s first?

GDPR Fines Against Google

The (CNIL), France’s data protection authority (DPA), has levied a €50 million ($57 million) fine against Google for violating the GDPR’s transparency, information, and consent requirements in deploying targeted advertisements. The largest fine by GDPR to date and the first involving a U.S. technology company was issued on January 21, 2019.GDPR Compliance

The CNIL’s investigation was triggered by complaints from two advocacy groups, None of Your Business and La Quadrature du Net, filed immediately on the GDPR’s May 25, 2018 effective date. The complaints alleged “forced consent,” by which users of Android-powered mobile devices, had to agree to Google’s entire privacy policy and terms of service before using the Android device. Google lacks a legal basis to process users’ personal data as it relates to ad personalization.

Why a €50 Million Fine?

The CNIL relied on four factors in issuing its €50 million fine.

  1. Nature of the infringements relating to lawfulness (Art. 6) and transparency (Arts. 12 and 13), both of which are core principles of the GDPR and listed as triggering the highest fining threshold (of 4% of International Revenue) in the GDPR (Art. 83.5).
  2. Because the infringements were continuous and ongoing after the GDPR’s effective date.
  3. The processing purposes, their scope, and the number of individuals concerned.
    • CNIL’s investigation focused on users who created a Google account while setting up their Android device and noted that this is a very large number of individuals.
    • They contend that due to Android’s dominant market share in the French smartphone market and the number of smartphone users in France, the processing is vast.
    • Also given the number of Google services involved (more than twenty).
      •  The variety and type of data involved
      •  The multiple technological processes that enable Google to combine and analyze data from various services, applications, or external sources.
      • These processes undeniably have a “multiplying effect” on the knowledge the company has about its users.
      • The company has the means for potentially unlimited combinations enabling a massive and intrusive use of consumer’s data.
  4. When viewing the infringements from the perspective of Google’s economic model,
    • The processing of user data for advertising purposes via Android.
    • Advantages Google obtains from that processing,
    • CNIL found that Google must be extra cautious about its responsibilities under the GDPR.

CNIL does not say how it got to the amount of €50 million, but indicates these infringements would be subject to the GDPR’s 4% maximum fine. Fine was based on Google’s 2017 global revenue of €96 billion. It’s clear that the CNIL did not impose the maximum fine. However, other than saying the fine of €50 million was “justified”. CNIL provides no reasoning for this starting amount or how the factors referred to above influenced the amount.

2018 Decisions & Fines

This case against Google represents the CNIL’s first published enforcement action, explicitly under the GDPR and the largest fine it has ever imposed. It also highlights the CNIL’s scrutiny of notice and consent in online advertising, which had been building up in the past months, as evidenced by other recent CNIL decisions.

This fine comes 1 month after Italy’s DPA fined Facebook €10m for misleading its own users over data practices. The watchdog said Facebook wrongly emphasized the free nature of the service without informing users of the fact that their data would be used to generate a profit for the company.

Google was not the first GDPR fine just the largest to date.

The first fine was issued in Austria in October 2018, although it is not strictly related to personal data processing. A betting shop received a €4,800 fine for a security camera that was recording part of the pavement outside since large scale monitoring of public spaces is not permitted under the GDPR.

At the end of October, the Comissão Nacional de Protecção de Dados (National Data Protection Commission) in Portugal imposed three fines on the Hospital do Barreiro: These are the first fines related to the processing and storage of personal data.  Two €150,000 sanctions and another of €100,000. For a total cost of €400,000 for the hospital. The first two fines of €150,000 were for violation of the principle of data integrity and confidentiality, and violation of the principle of data minimization, which in theory prevents indiscriminate access to data. 985 physicians had active accounts on the system giving them access to clinical files, while the hospital had only 296 active doctors on the date of the inspection.  

The third fine was related to the inability of the Hospital as data controller to ensure the confidentiality and integrity of the data of its clients and patients.

In the middle of November, a social network in Germany, Knuddels.de, received a €20,000 fine after a hack that caused 808,000 email addresses to be leaked, along with over 1.8 million usernames and passwords. This information was then published online with no encryption. The social network reacted by saying that once the leak had been discovered, it immediately improved its security measures.

After the incident, it was discovered that the website had no kind of protection on its sensitive information. According to LfDI Baden-Württemberg, the German data protection agency handling this case, one of the reasons that the website received a “relatively low” fine was that it acted with transparency, and quickly implemented security improvements.

Higher Fines Expected in 2019

The economic sanctions so far are clearly conservative compared to the maximum possible penalties allowed, but with the recent spate of high profile data leaks from Marriott, British Airways, and Quora it won’t be long before larger, harsher fines start to appear.

How Can You Avoid GDPR Fines?

What can you do to avoid a fine of millions of Euros or Dollars? The most important thing to bear in mind is that prevention is better than a cure. By having appropriate data leak protection in place for the personal data your company manages, you can avoid sanctions and fines.

  • Start by determining if online storage or on prim is the right solution for your needs
  • Controlling who has access to it
  • Realize that if you use Sync and Share instead of a private cloud file sharing solution, you have just doubled the amount of data you have, and you have also doubled the # of locations that you need to defend. Plus one of these locations you have no control over.
  • Complexity reduces security. The more complex a solution is the less it will be used.