sb-au logo
Story image

Expert comment: Google fined US$57mil for GDPR breaches

22 Jan 2019

EU’s data privacy regulation, the General Data Protection Regulation (GDPR), has drawn first blood to the tune of €50mil.

French data privacy agency, the National Data Protection Commission (CNIL), has imposed the fine against Google for “lack of transparency, inadequate information, and lack of valid consent regarding ad personalisation”.

The committee examining the breaches found two types of breaches of the GDPR – a violation of the obligations of transparency and information and a violation of the obligation to have a legal basis for ads personalisation processing.

Violation of the obligations of transparency and information

The committee found that

  • The information provided by Google is not easily accessible for users  
  • Essential information (data processing purposes, data storage periods, categories of personal data used for ad personalisation) is disseminated across several documents and complicated to obtain    
  • Some information is not always clear nor comprehensive  
  • It is difficult for the user to fully understand the extent of the processing operations carried out by Google across its multitude of services and the way the data is processed and combined

Violation of the obligation to have a legal basis for ads personalisation processing

The committee found that

  • Google obtains a user’s consent to processing data for ad personalisation, but the consent is not validly obtained for two reasons

  • The first being that the users’ consent is not sufficiently informed, with the information being fragmented and not enabling users to be aware of their extent.

  • The collected consent is neither “specific” or “unambiguous” as required by the GDPR.

Experts say this is a clear signal that regulators will be enforcing the GDPR regulations and compliance is mandatory.

Proofpoint cybersecurity strategy SVP Ryan Kalember says, “This GDPR fine brings to light some vital lessons for other businesses observing this crisis from a distance.

“By becoming the highest-fined company since GDPR came into force, Google is now the black-and-white case study of ‘what could happen’ in the event of non-compliance.

“In a privacy-first world, companies must build a people-centric compliance strategy, which can only start by getting visibility into highly regulated data, the systems that process that data and identifying who within your business has access to that data.

“Many organisations are still unsure whether their GDPR compliance strategy is 100 percent fit for purpose, but this incident signals that long gone are the days where privacy can be relegated to an IT or compliance effort: the magnitude of this fine clearly shows this is a business issue.

“Compliance professionals now have a use case to take to the board to secure any funding and resources they need to become GDPR compliant if their organisation isn’t today.”

Varonis sales engineering director Matt Lock says, “The new fine facing Google will quickly dispel any lingering doubts that the EU would go easy on companies found in violation of the GDPR.

“The news should be hitting companies like a cold shower. It’s not a stretch to say that a proverbial storm is gathering as privacy groups rally to their cause and seek to uphold major global companies as examples of lax privacy controls.

“The news should serve as an impetus to organisations that have yet to prioritise their GDPR compliance programmes and hoped to simply fly under the radar– their luck may be running out soon.”

Story image
SMBs seeking service providers in face of rising cyber threats
SMBs are struggling with their cybersecurity solutions, with three quarters worried about being the target of a cyberattack in the next six months, and 91% considering using or switching to a new IT service provider if offered a better option.More
Story image
Is cyber deception the latest SOC 'game changer'?
Cyber deception reduces data breach costs by more than 51% and Security Operations Centre (SOC) inefficiencies by 32%, according to a new research report by Attivo Networks and Kevin Fiscus of Deceptive Defense.More
Story image
ESET launches the latest version of its Mobile Security solution
“With this latest version of ESET Mobile Security, we want to ensure our users feel completely secure when performing financial transactions on their devices, in addition to being protected from malware and phishing attempts."More
Story image
Video: 10 Minute IT Jams - The benefits of converged cloud security
Today, Techday speaks to Forcepoint senior sales engineer and solutions architect Matthew Bant, who discusses the benefits of a converged cloud security model, and the pandemic's role in complicating the security stack in organisations around the world.More
Link image
Why video-streaming companies should consider a multi-CDN strategy
Video streaming continues to grow each year, and in order to ensure quality of experience, new strategies must be leveraged.More
Story image
Phishing scam imitates SharePoint & OneNote for nefarious clicks
Sophos researchers say that the attackers take a slightly different approach to the standard ‘fake login’ phishing email.More