The GDPR Fine-O-Meter has rocketed with news that the French authorities have fined Google 50 Million Euros for data breaches under the GDPR.
Introduced in May 2018, the regulations which apply EU wide give individuals more control over their data than previously, with businesses needing to seek consent for specific uses. As well as imposing stricter rules for handling data the regulations allow the regulatory authority in any member state to impose seriously painful fines which can be as high as 4% of turnover. In Google’s case this could have amounted to around 4 billion Euros. Viewed that way Google got off lightly and certainly far more lightly than last summer when they were fined 3.8 billion by the EU for breach of competition law committed by pre-installing a Google search browser in Android devices sold in Europe.
This French ruling really drives home the need to make sure that you genuinely comply with the regulations. Mere superficial compliance is not enough as different countries will have different attitudes to ensuring compliance. While Google’s base of operations for Europe, Middle East and Africa is for tax reasons in Ireland, it was the French Regulator supported by lobby groups in France who were determined to bring Google to book.
So are there any lessons to be learnt from the decision in this case from comments made by the regulator. If there are these are the things to note:
- You need to make it easy for users to find essential information about how their data will be used and stored.
- You should avoid splitting this information across multiple documents help pages and screens. Transparency is key.
- You should give users the opportunity to consent to different uses – not just opt in or out of all the users you intend to make.
This decision will no doubt send alarm signals to all tech companies who do business in Europe, even ones that are not giant and some review of exposure and risk should be undertaken. Do you carry on as before on the assumption that the authorities in France wanted to make an example of Google, and that further enforcement and huge fines are unlikely. Alternatively do you invest a little bit of time and resource reviewing and amending your consent-gathering practices to make sure that users are ticking OK to every last purpose for which their personal data is to be used.
It’s not too late to get your GDPR in order and it may be advisable in the current climate to do just that.
Written by Margaret Briffa