Rules for protecting data stepped up a gear when the EU implemented the General Data Protection Regulation (GDPR) last May. It was introduced to improve the way organisations handled personal data and they were expected to comply with these new rules or risk facing heavy fines. Here, we look at how a French regulator is showing its teeth to ensure its citizens’ privacy and data is protected.
The General Data Protection Regulation (GDPR) was implemented in May 2018 and at that time, data regulation companies offered guidelines on how to ensure personal data was protected so that companies would be compliant with the new rules.
On the day of the implementation, CNIL, the French data regulator, released an article offering support to public and private bodies to help them understand the changes that would take place and how to make the transition in a methodical way.
Included in the article was a six-step method which highlighted the necessary measures organisations would need to take to ensure GDPR compliance. The CNIL took an early interest in GDPR and has remained actively involved in ensuring it is upheld.
And the regulator showed its teeth to the world when it issued Google with a €50 million fine, citing the tech giant had demonstrated a ‘lack of transparency’, provided ‘unsatisfactory information’ and a ‘lack of valid consent for the personalisation of advertisements’.
In its decision statement, the CNIL stated that two associations, None Of Your Business (‘NOYB’) and La Quadrature du Net (‘LQDN’), had filed complaints against Google back in May 2018. The associations criticised Google for failing to have a valid legal basis to process the personal data of the users of its services, in particular for the purpose of personalisation of advertising.
Investigations carried out by CNIL found two major concerns in connection with GDPR – that the information provided by Google relating to its use of data is not easily accessible to users. Second was concerning the data used for the personalisation of adverts. The CNIL therefore issued Google with a €50 million fine and is the first time that the data regulation organisation has applied the new maximum penalties provided by the GPDR.
A spokesperson for Google said the company was studying the decision to determine its next steps, adding: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.”
Industry experts have had their say on the CNIL’s decision to fine Google, with Matt Lock, Director of Sales Engineering at Varonis, stating that the news should be ‘hitting companies like a cold shower’.
“The new fine facing Google will quickly dispel any lingering doubts that the EU would go easy on companies found in violation of the GDPR,” he said.
“It’s not a stretch to say that a proverbial storm is gathering as privacy groups rally to their cause and seek to uphold major global companies as examples of lax privacy controls. The news should serve as an impetus to organisations that have yet to prioritise their GDPR compliance programmes and hoped to simply fly under the radar – their luck may be running out soon.”
Meanwhile, Alex Hollis, GRC Practice Director and SureCloud, said the CNIL had certainly ‘lived up to its reputation’ around matters for data protection in taking action.
He said: “Since last May, we have seen the dip following the initial interest and have been expecting these legal cases to emerge.
“The scale of the fine for Google is not the 4% which is allowed under the regulation, which must go some way to acknowledging the steps and controls that Google has taken. It should certainly serve as a caution to those who don’t have the legal protection that Google has.”
Fouad Khalil, Vice President of Compliance at SecurityScorecard, highlighted that it was ‘no surprise’ that the fine had been issued by the French privacy watchdog.
“CNIL is the only regulator that issued any kind of GDPR compliance guidance in an effort to shed light on compliance requirements. Even though Google’s European headquarters is based in Ireland, that did not stop GDPR watchdogs from transitioning the enforcement to France where it is considered to be more effective,” he said.
“The new year is upon us, as is GDPR enforcement and fines. Companies that have sat back and watched the privacy tidal wave hoping that it will miss them should reconsider. As with any new regulation, most companies scramble to comply once they realise the ramifications are real.
“We are learning that no one is beyond GDPR reach – Google was fined €50 million due to people ‘not [being] sufficiently informed’ about how Google collected data to personalise advertising.
“The regulator indicated that Google provided inadequate information to its consumers as well as having had invalid consent for personal data use. This confirms how critical an accurate and up-to-date personal data inventory is.
“Organisations must ensure all data is properly identified, classified, processed, transmitted, consented for use and much more. Furthermore, point-in-time compliance does not cut it as continuous assurance (monitoring and auditing) is a must to ensure ongoing compliance.
“In today’s world, managing privacy has become the norm as regulators, auditors and privacy rights groups are keeping a watchful eye. Slapping Google with such a large fine is only possible due to confirmed violations most surely reported by consumers and privacy rights groups. I suspect this will be the first of many to follow in 2019 as GDPR compliance is now in the enforcement phase.”
Ryan Kalember, SVP, Cybersecurity Strategy, Proofpoint: “This GDPR fine brings to light some vital lessons for other businesses observing this crisis from a distance. By becoming the highest fined company since GDPR came into force, Google is now the black and white case study of ‘what could happen’ in the event of non-compliance. In a privacy-first world, companies must build a people-centric compliance strategy, which can only start by getting visibility into highly regulated data, the systems that process that data and identifying who within your business has access to that data.
“Many organisations are still unsure whether their GDPR compliance strategy is 100% fit for purpose, but this incident signals that long gone are the days where privacy can be relegated to an IT or compliance effort: the magnitude of this fine clearly shows this is a business issue. Compliance professionals now have a use case to take to the board to secure any funding and resources they need to become GDPR compliant if their organisation isn’t today.”
Paul Farrington, Director of Solutions Architecture (EMEA) at Veracode: “The fine against Google is an indication of the serious focus on privacy and security by regulators. Global enterprises must take steps to ensure security hygiene and compliance with standards to reduce their risk and protect data.”
Bharat Mistry, Principal Security Strategist at Trend Micro: “This just goes to show that even the big technology firms are struggling with the tightening regulatory and compliance regimes that the EU has put in place to protect EU citizens’ data. This fine will be a wake-up call for the tech giants and any other company that is collecting and hoarding mass amounts of personal data without applying due care and attention to the protection, retention and safe disposal of the data once it is no longer required.”
Matt Walmsley, EMEA Director at Vectra: “And so CNIL, the French supervisory authority, flexes its muscles and Google is the first big scalp for GDPR fines. Others will follow.
“User experience and clarity in terms and conditions have been used to remind us that data management and use are just as important as data security within GDPR. I’d expect Google to challenge the ruling and we may see the conclusion produce an important test in law that will bring clarity around GDPR implementation for others.”