Statement on CNIL Google GDPR fine

Money image

We found this image here.

In order for GDPR to be effective at protecting people's data, it must be implemented and enforced. Therefore, we are pleased to see that CNIL has taken action and issued Google a fine of €50 million based on complaints by NOYB and La Quadrature Du Net in May 2018. Despite numerous statements by Google that it takes the protection of people's data seriously, the decision demonstrates that they have a long way to go and that regulators will take action to hold companies that fail to comply with GDPR to account. That the decision comes in response to complaints by NOYB and LQDN (representing 10,000 people) also demonstrates the importance of the role of civil society in raising these issues.

This fine should serve as a wake up call for all companies whose business models are based on data exploitation to take data protection and individuals data rights seriously.

One of the key points in CNIL's decision is the lack of transparency and valid consent for Ads personalisation. The exploitation of personal data in the Ad ecosystem, from Google to data brokers and AdTech companies is of serious concern to PI. The decision gives us confidence that our complaints against seven data broker and AdTech companies filed to CNIL, the Irish DPA and the UK ICO in November 2018, will prompt similar scrutiny and action against these lesser known companies which amass and exploit the personal data of millions of people. Whilst 50 million euro may not seem a lot to Google, it is just a single fine and regulators should continue to take action on other pending complaints (for example: consumer organisations around Europe recently filed complaints to multiple regulators against Google's location tracking).

The above statement is attributable to PI Legal Officer, Ailidh Callander