GDPR – Fines start to bite
Following a complaint that was made on the date the GDPR came into force, 25 May 2018, Google has been fined £44 million for breaches of the Regulation.
The fines were imposed by the French data regulator – but the outcome is likely to have been the same if the UK regulator, the ICO, had been involved.
The breaches related to Google’s collection of personal data which it used to personalise ads. There are reminders for us all in the reports of the decision of the regulator.
The regulator found that consent had not been properly obtained. The option to personalise ads was pre-ticked when a user created an account. The essential information about how the data would be used was spread across several different documents meaning that some five or six actions were needed on the part of the user to access that information. This lack of transparency meant that users were not sufficiently informed about how Google collected data to personalise advertising.
The GDPR requires consent to be specific – given distinctly and affirmatively for each of the purposes for which the data will be processed.
The level of fine is related to Google’s turnover; but there is no doubt that the regulators are flexing their new powers under the GDPR.Back to Our Thinking →