Between the massive data breaches in world-famous companies and the plethora of ongoing scandals at Facebook, 2018 was the year that personal data protection began to make headlines – and generate concern – all over the world. And there was one game-changer among all these cases: the GDPR, the new European General Data Protection Regulation, which has been mandatory since May 25 last year.
As well as reputational damage, the GDPR carries with it hefty fines for infringement: up to €20 million or 4% of a company’s annual global turnover. Corporate cybersecurity necessities are shifting from remediation to prevention and protection of stored personal data. It is no longer enough to react once data has been exfiltrated; the only way to avoid the consequences of the GDPR is to comply with it, getting ahead of incidents involving personal data (PII).
And towards the end of 2018, the first sanctions began to appear. The highest (until now) was a €400,000 fine for a Portuguese hospital. However, this week, on January 21, 2019, we witnessed the first multi-million euro fine. And, what’s more, it’s for one of the world’s most valuable companies: Google.
Google and the issue of forced consent
The CNIL (Commission Nationale de l’Informatique et des Libertés), the French data protection agency, has fined Google LLC €50 million for violating GDPR rules about transparency and for not having a valid legal basis for processing personal data for advertising purposes.
This fine is clearly much more than a mere slap on the wrist. However, large though it is, it is much lower than it could have been, given that Alphabet, Google’s parent company, had revenue of €97.5 billion in 2017; the fine, therefore, could have been as much as €3.9 billion.
Another important aspect of the case is the fact that the GDPR stipulates that the investigation of any case must be carried out in the country where the the company’s “main establishment” is located. Although Google’s European headquarters is in Ireland, the CNIL does not consider that this HQ has decision making power for the processing of personal data. This means that the complaint is against Google LLC in the USA.
The first complaints about Google came on May 25, minutes after the regulation came into effect, when the non-profit organization noyb.eu presented the first complaints against several companies, including Google. The French digital rights group, Quadrature du Net also lodged a complaint against Google a few days later.
Both complaints are related to forced consent; they claim that the company lacks a sound legal basis to process its users’ personal data, since it forced them to consent to data processing they didn’t understand.
According to the CNIL, when a user creates a Google account on an Android mobile, they receive much of the information required by the GDPR – categories of personal data, purposes of data processing etc. – but state that the information is “excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information.”
“The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions,” says the CNIL It also claims that the information offered by Google is very vague and generic when it comes to explaining to its users how their data will be used, and that there is a lack of information related to how long their data will be stored.
Another issue was the “I agree with Google’s terms of service” tick-box, instead of boxes with more detailed options.
The CNIL concludes that Google lacks valid permission from its users, since consent was neither “specific” nor “unambiguous” as stipulated by the GDPR.
How to avoid the million euro fines
One of the first steps towards complying verbatim with the GDPR is to provide appropriate protection for the personal data that your company stores and processes. A good start is to know exactly where this personal data is stored and who has access to it.
Panda Data Control, the data protection module of Panda Adaptive Defense does exactly this. Panda Data Control identifies all the files that contain personal data (PII) and records any kind of access to it, providing real time alerts about leaks, use, and suspicious or unauthorized traffic.
Panda Data Control helps your company to comply with several specific articles of the GDPR, including the right to erasure; notification of a personal data breach to the supervisory authority; and data protection impact assessment.
This fine for Google is the first million euro fine within the framework of the GDPR, but it won’t be the last: we are still waiting to see what happens in the cases of British Airways and Marriott, and the multiple Facebook cases.
If you don’t know how to protect the personal data stored on your corporate network, and want to save your company’s image and keep it from being fined astronomical amounts, don’t miss out on this opportunity to find out about the advantages of Panda Data Control.