skip to main content

Ovum view


On January 21, 2019, the French data protection regulator CNIL fined Google €50m ($57m) for breaching aspects of the General Data Protection Regulation (GDPR), which came into effect across the EU in May 2018. Since the law was introduced, the industry has been watching carefully to see how the first instances of noncompliance play out. Google is the first tech company to face a fine under the GDPR framework.

One of the main challengesof GDPR faced by companies involves the transparency and information requirements

The CNIL has fined Google for failing to provide users with transparent and understandable information on its data use policies as prescribed by the GDPR.Finally, we are seeing how regulators are responding to the GDPR in terms of interpretation and application since it was enacted in May 2018. The maximum fine under GDPR is 4% of global annual turnover, or €20m ($22.7m), whichever is higher. Theoretically, this means that Google could be fined almost €4bn ($4.5bn). However, in this case, the French data protection regulator has settled on €50m ($57m). On the face of it, this is not a very large amount for the firm, and the GDPR has the potential for significantly larger fines. The regulator has stated that the figure reflects the continuous and ongoing nature of the violations.

According to the regulator, the tech giant failed to meet two key requirements of the regulation:

  • It was not transparent with users about how their data is being used.

  • It did not obtain adequate consent from users to monetize their data.

In particular, Google has been accused of making it difficult for users to find information about data processing purposes, data storage periods, and the categories of personal data being used for ad personalization. This information was provided across multiple documents, help pages, and settings screens. This fragmentation makes it difficult for users to opt out of data processing for the personalization of ads. Even in instances where consent was received from a user, the French regulator found that this process did not meet GDPR standards of being specific and unambiguous. Rather than explicitly opting into targeted advertising, users are only asked to agree to a general terms and privacy policy. This is of particular concern because Google's economic model is partly based on personalized ads.

It is not surprising that the first fine levied under GDPR was a result of a lack of transparency. As Ovum'sAn Overview of the EU's General Data Protection Regulation (GDPR) reportoutlines, one of the main challenges faced by companies when implementing the GDPR involves the transparency and information requirements of the law. The level of information required to be provided to data subjects is significant, creating greater risk that controllers could get this wrong. Considering a tech giant such as Google has been caught out, it is clear that many other organizations should be concerned. According to Ovum data, 28% of companies were aware they were not compliant with the EU's GDPR following its implementation, and 37% were choosing to ignore it. It remains to be seen whether EU regulators will target smaller businesses or, as some tech companies in Silicon Valley fear, the priority will be to penalize US giants.

Data protection and privacy regulation will certainly remain at the top of the regulatory agenda for years to come, and further cases of noncompliance are likely. Consumer awareness of data protection has been increasing, particularly regarding the value of personal data. Therefore, companies should use GDPR as an opportunity to increase trust and confidence in how they store personal data. By moving away from the idea that GDPR is purely a tick-box exercise, companies can instead see it as an ongoing compliance requirement. The long-term trend will be toward building a robust global privacy program that not only focuses on GDPR but is more sustainable and implements the "privacy-by-design-and-default" concept.


Further reading

OTT Regulation Tracker: 2H18, GLB005-000105 (January 2019)

An Overview of the EU's General Data Protection Regulation (GDPR), GLB005-000075 (September 2018)

2019 Trends to Watch: TMT Regulation, GLB005-000077 (August 2018)

"Digital Futures 2018: Accelerating growth in a data-driven world," GLB005-000090 (September 2018)


Sarah McBride, Analyst, Regulation

[email protected]