We are now approaching almost eight months since GDPR was first implemented into European law. Despite this, recent studies have suggested that 50% of UK businesses are still not fully compliant with the regulations. Up until now, there have been relatively few high-profile cases. The most notable examples included a Portuguese hospital having to fork out €400,000 for allowing too many employees to access patient records, and German chat website, knuddels.de, which was fined €20,000 after the personal details of over 330,000 users were compromised after a hacking incident.
All this changed on 21 January 2019 when it was reported that global giant, Google, had been fined €50 million (£44 million) by French data regulator, CNIL, for breaching some of the regulations. Google was said to have demonstrated “a lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”. In particular, CNIL claimed that “[u]sers are not able to fully understand the extent of the processing operations carried out by Google” because essential information was spread out over a number of documents.
Another issue was Google’s approach to consent. The option to personalise ads was pre-ticked when creating an account, something that breaks GDPR rules. The user should be able to opt in to personalised ads rather than opt out. CNIL also noted that “GDPR provides that the consent is ‘specific’ only if it is given distinctly for each purpose”. Ideally there ought to be several boxes to tick in order to provide consent for services such as personalised ads and direct email communications. Google has decided to appeal against the fine.
One of the more interesting features of this story is the extent of the fine. GDPR states that the maximum fine is either €20 million, or 4% of annual turnover, whichever is greater. Since Google’s parent company, Alphabet, turned over billions in profits the previous year, the fine could have been considerably more than £44 million.
All this leads to more questions than answers about the criteria needed to implement the maximum fine under GDPR. It will also be interesting to keep an eye on the appeal process. Should the fine go through, it would have important implications for the way mega-corporations, particularly those that rely on targeted advertising, like Facebook and Amazon, run their businesses models.
Falling foul of consent rules is not the only problem many businesses are having in complying with GDPR. According to cloud data firm, Talend, only 17% of UK organisations have correctly complied with private citizen data requests, whereby individuals should expect to access their personal data within a month after requesting it (Article 15). Seemingly most organisations, large or small, are having some difficulties in complying with GDPR, even almost eight months down the line.