Google Receives GDPR’s First Big Punishment

Feb 7, 2019

Last year, the European Union (EU) implemented a tough set of regulations called the General Data Protection Regulation (GDPR). These rules were created to “empower all EU citizens data privacy and reshape the way organizations across the region approach data privacy.” You can read all the GDPR details in our blog here. Less than a year after GDPR took effect, a major tech company has violated its terms. Thanks to some data collection rule-bending, Google now owes the EU $57 million.

What happened?

In short, Google didn’t get consent to use its clients’ data for personal advertising. Ever notice how anything from Google Ads is a little too spot on? It’s because they’re tracking your web history and searches to curate personalized advertising, which is illegal in the EU, according to GDPR.

And data privacy authority CNIL accused Google of making users’ lives too difficult by hiding exactly how their personal data is used or how long it’s stored. This is definitely a concern for anyone using the web, not just those wearing tinfoil hats!

Everyone knew this was coming!

How does this affect Google?

Google made $33.7 billion in revenue last quarter, so the fine is a drop in the bucket. Yet, Google plans to appeal the ruling. They say that GDPR doesn’t clearly state its requirements for businesses. GDPR has certainly created confusion with exemptions for a company’s “legitimate interest” to collect personal data. Is Google’s interest legitimate in creating personalized ads?

The appeal may result in better clarification for the gray areas in the GDPR since Google is only one of many companies collecting data for advertising purposes. No matter the outcome, this case will lead to further investigation of GDPR terms and companies under suspicion of violation.

Are there more fines to come?

Laws similar to GDPR are currently being evaluated in several US states, and federal action will inevitably follow. Even if data privacy laws like GDPR don’t come to the US, it’s likely that more charges will come. Big companies have been freely collecting user data for years, and GDPR’s fairly quick rollout didn’t give companies a lot of time to prepare.

It’s a small slap on the wrist for arguably the largest collector of personal data in the world, but it’s a start. Will Google have to change its targeting tactics? Will the appeal be successful? We’ll have to see how it plays out, but, either way, the importance of personal data management is finally starting to register with world governments.