Many have heard about the French data regulator CNIL imposing a $57 million (€50 million) fine on Google for violating the General Data Protection Regulation (GDPR), specifically for failing to make its data collection policies easily accessible while also failing to obtain sufficient and specific consent for ad personalization across its services. This comes as the first major GDPR violation since its inception in May of 2018. CNIL indicates that Google’s approach to gathering personal data makes it hard for users to understand what data is being collected and sold, while not being transparent in the ability to opt out.
Although this is not the first fine imposed for violating GDPR, it is by far the largest. In December, a Portuguese hospital was fined €400,000 after its staff permitted unauthorized access to patient records, while a German social media and chat service was fined €20,000 in November for storing passwords in plain text.
Lessons Learned?
Will there be a change to the privacy policies and settings from providers such as Google, or will it change the user experience of such services? According to CNIL, these violations are yet to be remediated, and after all, the fine represents less than three hours of Google’s revenue. Will organizations continue to assess and mitigate risks related to the consent, privacy and protection of EU personal data, or will they be willing to accept the risk of being breached and/or face the fines for noncompliance with GDPR?
What’s Next
GDPR is not going away, and it is only a matter of time before additional privacy regulations are adopted domestically and internationally.
If you have any questions related to the GDPR or the privacy and protection of data, please visit our GDPR Compliance page.