Google Fined $57 Million for Data Privacy Violations
Author: Robert S. Teachout, XpertHR Legal Editor
February 6, 2019
Google was fined 50 million euros (approximately $57 million) for violations of the European Union's General Data Protection Regulation (GDPR). In issuing the fine, France's data protection agency, CNIL, stated that the penalty was due to Google's "lack of transparency, inadequate information and lack of valid consent regarding ads personalization." The fine is the largest GDPR-related penalty issued to date.
The lack of transparency goes to the heart of the GDPR requirement to obtain clear consent from an individual for the collection and use of personal data. The GDPR, which went into effect May 25, 2018, requires companies to obtain "genuine consent" before collecting a user's information, meaning the process must be explicitly opt-in and make it easy for people to withdraw their consent. CNIL said that Google had offered users inadequate information, spread the information across multiple pages and failed to gain valid consent for personalizing ads.
The company announced that it will appeal the fine, saying it had worked hard to create a GDPR consent process for its ads personalization settings that was transparent and straightforward.
The fine against Google highlights the possible GDPR compliance obligations with respect to human resources data for organizations that collect and/or transfer the data of workers located in the European Economic Area (EEA). Among other things, covered employers with HR data compliance requirements need to:
- Ensure data is processed for permissible reasons;
- Provide notice when processing personal data;
- Allow workers in the EEA to exercise their rights to access, correct, object to, delete or restrict the processing of their personal data;
- Screen service providers and amend service provider agreements;
- Implement organizational and technical privacy measures; and
- Implement data security safeguards and a security incident response plan.
Google also is facing a GDPR probe by the Swedish data protection agency, which criticized the company for the "overwhelming amount of granular choices" presented to users on their privacy dashboard, and the use of numerous pop-ups to discourage users from turning off location data.