Since the EU’s General Data Protection Regulation (GDPR) came into effect on May 25, 2018, a total of 91 fines have been imposed, totaling 55,955,871 euros (~$62,815,221).
The largest fine yet was issued in January 2019, when web giant Google was hit for €50 million, accounting for 90% of the total cost of GDPR penalties given out so far.
By understanding Google’s GDPR fine, as well as other GDPR penalties that have been issued so far, business owners worldwide can better navigate their own GDPR compliance efforts.
Why Was Google Fined by the EU?
French regulatory body Commission Nationale de L’informatique et des Libertés (CNIL) imposed a GDPR fine of €50 million against Google for lack of transparency and valid consent.
The fine was levied as a result of two complaints filed by French privacy rights groups None Of Your Business (NOYB) and La Quadrature du Net (LQDN), who accused Google of processing users’ personal data for advertising purposes without proper legal authorization.
They claimed that when users set up the Android operating system on a new phone, Google did not fully disclose how data was collected for purposes of personalizing advertisements across its services (such as YouTube, Gmail, and Google Maps).
This violated a core component of the GDPR, which is that businesses must be very clear about how they acquire customers’ data and what they use it for.
Google’s GDPR Fine Explained
Companies who fail to adhere to the requirements of the GDPR face a maximum fine of €20 million or 4% of their annual global turnover — whichever is higher.
Google’s fine of €50 million may seem like a large amount, but 4% of Google’s annual turnover would be approximately $4 billion — so the tech giant actually got off easy.
While Google’s EU headquarters is in Dublin, Ireland, CNIL determined that the company’s decisions leading to the violation were made in the US.
The takeaway here is that it’s not just corporations in Europe that can be hit, but any business worldwide that targets its services at customers in the EU.
As the Google penalty demonstrates, failing to comply with the GDPR in the US has consequences as severe as those in the EU.
Analyzing Google’s GDPR Enforcement
The company failed to meet two requirements of GDPR compliance:
1. Transparency
First, Google did not meet the transparency objectives outlined in Article 12 of the GDPR:
The controller shall take appropriate measures to provide any information… relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
One way Google failed to meet these objectives was by failing to provide vital information mandated by Article 13 — an explanation of data processing purposes, data storage periods, and categories of data.
According to the official deliberation, vital information was excessively spread out when users created their accounts:
Such an ergonomic choice leads to a fragmentation of information, thus forcing the user to greatly increase the number of clicks necessary to access the different documents.
By forcing the user to cross-check multiple documents, Google made information about its processing operations inaccessible. If the average user doesn’t understand how their data is being used, the practice is not transparent.
2. Consent
Google also failed to obtain valid consent from users. In Article 4 of the GDPR, consent is defined as:
Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
First, because vital information was not easily accessible, users were not fully informed.
In addition, when users created an account, the ad personalization box was pre-checked in the configuration options. This ‘by default’ choice meant that users did not agree to ad personalization with a specific and unequivocal positive action.
Articles 6 and 7 of the GDPR state that data controllers must be able to demonstrate consent for it to be lawful. Google could not.
How Can You Avoid the Same Mistakes as Google?
| Transparency | Consent |
|---|---|
| Fulfilling the accessibility requirements of Article 12 is straightforward – the average person should be able to read and understand your data handling practices through a privacy policy. Don’t intentionally use confusing vocabulary or legalese. Instead, provide your visitors with a clear and user-friendly GDPR privacy policy. And of course, don’t hide information behind multiple clicks, like Google did. | Obtain user consent for specific actions (e.g., receiving a newsletter). Don’t ask for one-time, all-encompassing permissions to do whatever you’d like with user data. Whether users are giving their consent should be obvious – and they should understand the full scope of what it entails. |
3 More Notable GDPR Lawsuits and Fines
It’s not just Google that’s been fined under the GDPR. Several other major businesses have received penalties for negligence as well as for intentionally ignoring the new regulations.
Here are some of the other most important GDPR fines so far.
1. Bisnode — 943,000 złotys (~$245,000, Poland, 2019)
Digital marketing and analytics company Bisnode was fined by the Polish Personal Data Protection Office (UODO) in March 2019 for failing to notify over 6 million people that the company was processing their data.
Bisnode obtained data from publicly-available sources, and used it for commercial purposes. However, they failed to comply with Article 14 of the GDPR, which requires businesses to make users aware of their data processing and collection practices.
Although individuals with an email address were informed, those who were only contactable by telephone or mail were ignored due to the expense involved. These actions violate Article 14 (5) of the GDPR, which discusses “disproportionate effort.”
How can you avoid a similar GDPR fine?
Implementing privacy by design as a best practice helps any business avoid this type of penalty. Privacy should be proactive not reactive, and incorporating it should be the default setting for your business.
The UODO deemed that Bisnode’s infringement was intentional, because the company was aware of its obligation, but ignored it. Instead of sending SMS messages or letters through the post, it only published relevant information in a data protection privacy policy on its website. This GDPR enforcement illustrates how important it is to make privacy a priority, rather than a bare-minimum effort.
2. Knuddels.de — 20,000 euros (~$22,000, Germany, 2018)
One of the most prominent GDPR penalties in 2018 involved German social networking site Knuddels.de. The company filed a data breach, because a hacker attack resulted in the theft of 330,000 users’ personal data, including passwords and email addresses.
Knuddels.de stored unencrypted user passwords in plain text, violating Article 32 of the GDPR by not ensuring a certain level of security.
Baden-Württemberg — the regional watchdog that imposed the fine — noted that the company cooperated well and that their transparency was “exemplary” throughout the process.
Within weeks, Knuddels.de had implemented extensive security improvements, reducing their fine to a mere €20,000
How can you avoid a similar GDPR fine?
This case demonstrates that if you make a timely effort to amend a GDPR violation, fines may be more lenient.
Article 83 of the GDPR states that fines should be dissuasive, but also proportionate. Knuddels contacted the authority directly and informed its users of the attack immediately. It also reportedly spent hundreds of thousands of euros improving its security architecture.
These costs and willingness to cooperate were taken into account when calculating the penalty — hence why it was reasonably low. Usually, GDPR fines for significant data breaches would be much higher.
If you ever do find yourself on the wrong side of the GDPR, take swift and effective action. Oversights and resulting violations can happen — but don’t lose hope before doing everything in your power to amend the issue and hopefully you’ll enjoy some GDPR leniency.
3. Taxa 4×35 — 1.2 million krone (~$180,000, Denmark, 2019)
When the Danish Data Protection Agency conducted random privacy checks, it found that taxi firm Taxa 4×35 had violated Article 5 of the GDPR by neglecting to delete customers’ phone numbers.
Taxa 4×35 has claimed that all customer information it collects is anonymized two years after each transaction. However, although they deleted the names of customers, they failed to delete the phone numbers for five years.
Therefore, the company still possessed the personal information of riders relating to almost 9 million taxi journeys.
How can you avoid a similar GDPR fine?
Delete user information when it is no longer needed, and update your internal systems accordingly, if need be.
According to Article 5 of the GDPR, personal data must be:
…kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Taxa 4×35 argued that it had waited five years to delete telephone numbers because they were required for its database, and aided business development. However, the data inspectorate highlighted that a company cannot alter the deletion period just because their internal systems and processes make it difficult to comply with the rules.
More GDPR Penalties to Come
Mathias Moulin — Director for the Protection of Rights and Sanctions Directorate for data watchdog CNIL — reportedly said that 2018 “should be considered a transition year” for the GDPR.
Considering the amount of complaints and data breach notifications that have been issued, the number of GDPR fines is surprisingly low.
However, regulators are just getting started.
According to a recent report published by law firm DLA Piper:
With the exception of the recent €50 million fine imposed on Google, so far the levels of fines have been low… However, we expect that 2019 will see more fines for tens and potentially even hundreds of millions of euros, as regulators deal with the backlog of GDPR data breach notifications.
As regulators have seemingly prioritized high-profile cases, many organizations are still waiting to find out if action will be taken against them.
Although it’s difficult to set a time frame, the International Association of Privacy Professionals (IAPP) believes more major GDPR penalties may arrive as soon as the summer of 2019.
GDPR Compliance for Small Businesses
GDPR small business penalties are rarely reported by local media, but plenty of smaller companies have been hit, too.
For example, German shipping company Kolibri Image violated Article 83 of the GDPR by failing to provide a processing contract, and was fined €5,000.
It’s not just large companies that are in danger — small businesses must adhere to the same high standards that cost Google €50 million for non-compliance.
It’s easy to forget that the maximum penalty is based on whichever is higher: €20 million or 4% of your annual turnover. Failure to comply with the GDPR is an equally significant risk for a small family-owned business as it is for one of the tech giants.
If it is the calm before the storm, as the watchdogs suggest, then now is the time to discuss a compliance plan with your team, and put data privacy at the forefront of your operations.
