It has been reported recently that Google has been issued with a major fine of £44 million (57 million euros) by French authorities for non-compliance with the GDPR: the most significant fine since the introduction of the GDPR. This is the first major fine going into millions of pounds. It is an indicator that regulatory authorities are willing to levy substantial penalties for non-compliance.
The guidance on enforcement given before the GDPR came into force indicated that one of the aims was to have a consistent application of fines across Europe. So far, several countries have issued fines:
- Germany – A German regulator imposed a relatively modest fine of €20,000 on a social media company which stored customer passwords in plain text and not encrypted or ‘hashed’. Passwords were stolen in a hacker attack affecting 330,000 users. It is understood that the authority looked favourably on the company’s strong cooperation and willingness to implement recommendations, which may have been taken into account in calculating the fine.
- Austria – A retailer was fined €4,800 in respect of a surveillance camera which captured too much of the pavement area beside the retailer’s premises. This was considered to be large-scale monitoring of a public space without proper authority and transparency, including the fact that there was no notice advising that surveillance was being carried out.
- Portugal – A hospital was fined €400,000 for failures to implement appropriate technical and organisation measures to protect patient confidentiality and data, including limiting access to data. Particular issues included that non-clinical hospital staff had access to patient data through false user profiles – the IT system had 985 registered doctor profiles but only 296 doctors. Doctors also had unrestricted access to all patient files, regardless of their specialism.
The fine imposed on Google – by the French regulatory authority CNIL - relates to targeted advertising and ad personalisation. It found there was a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”, noting that information about the use of data was spread across a number of documents and required up to five or six actions on the part of the user to access. It also noted that the user had to consent in full to all processing and consent for ad personalisation was not separated. Additionally, the option for advert personalisation was ‘pre-ticked’ when creating a Google account, which does not comply with the consent requirements in the GDPR.
The fine is actually comparatively low as the maximum in Google’s case would be a potential fine of €3.6 billion: 4% of global turnover. However, the more significant implication is likely to be that the required changes to ensure compliance and avoid future fines go to the heart of Google’s practices. Various commentators have suggested this is a warning shot to technology companies to encourage compliance. There are complaints pending against various companies with similar practices, including Amazon, Netflix, Spotify, Facebook and Instagram.
It is possible going forward that fines will be higher as those already imposed highlight practices which are considered unacceptable.
Guidance indicates that factors to be considered when imposing a fine include:
• The nature, gravity and duration of the infringement and the type of data involved;
• Whether the infringement was negligent or deliberate;
• Any action taken by the organisation to mitigate the damage suffered by individuals;
• Technical and organisational measures that have been implemented by the organisation;
• Any previous infringements and the nature of these;
• The degree of cooperation with the regulator to remedy the infringement;
• The manner in which the infringement became known to the supervisory authority (for example, did the organisation self-report it or was it the result of a complaint)
This guidance and the fines imposed so far, particularly the one by the German authorities referred to above, indicates that co-operation, the taking of measures to rectify the issue and reporting rather than covering up the issue might reduce the level of a financial penalty where one is imposed.