Google fined $57,000,000 for GDPR violations
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)

Google fined $57,000,000 for GDPR violations

What happened to 4% of annual global turnover?!

Google has been fined $57,000,000 by France for violating the EU’s GDPR. This, frankly, couldn’t be any less surprising.

We’ve been writing about GDPR ad nauseum for over a year now. We’ve covered the compliance side of things, we’ve covered the enforcement side of things, now comes the first coverage of the penal side of things (HEY! – mind out of the gutter!).

Let’s hash it out…

Let’s get up to speed on Google’s $57-million dollar fine

If you’ll recall, the European Union’s General Data Protection Regulation went into effect on May 25. Pretty much the same day, Max Schrems, who leads a privacy advocacy organization called None of your Business (NOYB) sued Google and Facebook for violating the GDPR with what he called, “forced consent.”

We’re going to get to that in a moment, because we’ve actually covered it at length in another post, but first let’s cover the basics.

Early on, the EU’s Data Protection Agencies held off on any punitive action because the regulation was still new and the whole world (after all, GDPR applies to anyone who does business in the EU – not just European countries) was kind of in a “feeling out” process, as per the European Privacy chief. Obviously I’m paraphrasing a bit.

That’s all over. France’s DPA, the Commission nationale de l’informatique et des libertés (CNIL) slapped Google’s parent company, Alphabet, with a massive $57-million fine on Monday.

In its statement CNIL accuses Google of violating “obligations of transparency and information.” It also accuses the search giant of not obtaining valid consent, claiming:

  1. Users’ consent was not sufficiently informed
  2. Collected consent is neither “specific” or “unambigious”

Per the statement:

Despite the measures implemented by GOOGLE (documentation and configuration tools), the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations. The restricted committee recalls that the extent of these processing operations in question imposes to enable the users to control their data and therefore to sufficiently inform them and allow them to validly consent.

When reached for comment by the Washington Post, Google said it was “studying the decision to determine our next steps,” adding: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.”

Here’s a great way to see how strong the US dollar is right now, CNIL’s fine is actually for €50,000,000. Or if you’re feeling Brexit-y, £44,000,000.

Or 5.7 billion Kenyan shillings.

For most companies, a $57,000,000 fine would be a death sentence. Alphabet, on the other hand, will make that back in about four hours.

That’s why, as eyebrow-raising as the dollar total is, this fine actually feels kind of feckless. Now, if it’s just one of many, with the other EU Data Protection Agencies chipping into essentially facilitate death by 1,000 cuts, that’s different.

But the regulation is pretty explicit that the fine is 2-4% of global profits. That would be between 2.5 and 5.1 BILLION dollars. That would get Google’s (and soon, Facebook’s) attention pretty quickly. But $57,000,000 is a half a day of work and bad headlines for Google.

Seriously, by this afternoon – not even half a day later – the focus had already started to shift to the Google phishing quiz. Brilliant PR.

Of course, this is just one of many battles currently being waged with Google across the Atlantic. There’s also action on Right to be Forgotten cases, antitrust lawsuits and then there’s Google’s threat to shutdown its news service in Europe over newly proposed copyright legislation.

What was Google doing to get fined?

Google logo

Playing fast and loose with the rules. As it is wont to do, when it feels that it’s beneficial. Google, as much as any company on the internet, knows how to design its experiences across multiple platforms so that users take the intended actions.

There’s a degree to which this is OK. Any marketer will tell you that there are certain design choices that help influence a potential customer. For instance, most websites try to get you from cart through checkout with as few clicks as possible, lest you get distracted and wander off.

But there’s also a point where it moves from the realm of acceptable behavior into what is called in design, “dark patterns.” These are manipulative practices that can make it seem like there are no alternatives but to take an intended action (in this case giving consent), or in some cases even forcing a user to take the action in order to continue using the service.

That’s what motivated Max Schrems, who launched the lawsuit that CNIL was responding to, in the first place: companies like Google and Facebook were essentially holding your account ransom.

Telling someone that they can only continue using your service if they consent to certain things that have nothing to do with the service you’re using goes against the whole spirit of the GDPR. It’s also totally acceptable in the United States, which is just one more way that our legal system differs from the European one.

And while that may seem like kind of a throwaway comment, this is going to grow into a major issue in the coming years because while the EU is very concerned with the rights and privacy of the individual, the US is more focused on being business friendly. And we are now in a truly global economy. Factor in the laws in major countries like China and Russia and this patchwork of international regulation is becoming a powder keg.At any rate, we’ve written in depth about what exactly Google (and Facebook – who will be seeing fines very soon, too) was doing to draw a $57,000,000 fine, including plenty of examples and evidence. Give it a read.

How Google & Facebook Circumvent GDPR

As always, leave any comments or questions below…

Hashed Out by The SSL Store is the voice of record in the SSL/TLS industry.


Patrick Nohe

Patrick started his career as a beat reporter and columnist for the Miami Herald before moving into the cybersecurity industry a few years ago. Patrick covers encryption, hashing, browser UI/UX and general cyber security in a way that’s relatable for everyone.