Today the CNIL (France’s Data Regulator) has announced its intention to fine GOOGLE LLC €50 Million (£44 Million) for not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalization purposes. This is the first time we have seen the CNIL leverage GDPR sanctions and also highlights that due to the continuous and on-going nature it is not limited to a one-off.
SureCloud has for over a year predicted that either the CNIL or BfDI (French and German information commissioners respectively) would be one of the first of the landmark cases and would be against a tier 1 or tier 2 US technology firm. The news today has surprised us in that they have sanctioned the US technology giant, who we had predicted would take additional steps around the regulation. It is disappointing to see that Google has not fully embraced GDPR.
GRC Practice Director, Alex Hollis said “The CNIL has certainly lived up to its reputation around matters for data protection in taking action. Since last May we have seen the dip following the initial interest and have been expecting these legal cases to emerge. The scale of the fine for Google is not the 4% which is allowed under the regulation, which must go some way to acknowledging the steps and controls that Google has taken.”
UK Sales Director, Scott Bridgen said “This is welcome news for data privacy within the EU and hopefully will wake up those who have become apathetic at the passing of GDPR. What is likely to occur based on history is that this particular fine will be taken through the legal courts with various appeals. It should certainly serve as a caution to those who don’t have the legal protection that Google has.”