The French data protection authority (CNIL) has hit Google with a record £44m fine for its failure to provide users with clear information in its data privacy notices, as required by GDPR.

CNIL said that Google had made it difficult for its users to find out key information about how Google processes their personal data, how long Google stores the personal data for and also to understand how personal data is used in advert personalisation.

CNIL also found that where Google relies on consent from its users (as its legal basis to carry out specific data processing activities), it had often failed to obtain “specific” and “unambiguous” consent, which is the new level of consent imposed under GPDR.

The fine came about following pressure from the privacy group, None Of Your Business (Noyb).  Noyb has also recently filed formal complaints against Amazon, Apple, Netflix and Spotify for perceived failures to comply with GDPR. 

Noyb’s leader, Max Schrems, criticised in particular the “take it or leave it” approach adopted by these companies and argued that many consents obtained by these companies are invalid given their “powerful position” in the market.

The penalty imposed on Google represents the highest fine ever imposed by any data protection authority. However, the fine is arguably the thin end of the wedge and a sign of more drastic things to come.

The maximum penalty for a breach of GDPR is £17.7m or 4% of global turnover (whichever is higher), meaning that Google could have theoretically faced a fine of several billion pounds (having made $33.74 billion in the last quarter alone).

Whilst the headlines are largely dominated by the international tech companies who deal in big data, it is evident that there is a sea-change in the attitudes of data protection authorities. It is anticipated that the ICO will be seeking to impose greater penalties on businesses who fail to demonstrate compliance with all areas of GDPR, including data security, retention of data, consent issues and unlawful direct marketing practices.

It is therefore crucial that businesses remain vigilant to data protection practices and, to the extent they have not already done so, ensure that those practices are compliant with GDPR.

If you would like to speak to one of our solicitors specialising in GDPR about compliance or any aspect of data protection law, please contact us on 0161 941 4000 or by e-mailing lawyers@myerson.co.uk.