Tech giant Google has been the first corporate entity hit with a multi-million dollar fine for failing to properly disclose how personal information of users was being collected and utilised; a breach of the European Union’s General Data Protection Regulation (GDPR) laws.
The landmark fine was handed down by the French data-privacy agency, CNIL, who alleged Google “did not properly obtain users’ consent for the purpose of showing them personalised ads,” according to The Washington Post.
France’s regulator CNIL issued a statement outlining that “the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations.”
“The restricted committee observes that the users’ consent is not sufficiently informed.” According to the CNIL.
This statement may well refer the fact that the default settings after initially creating an account enable personalized ads, and the collection of data a user may be unaware or uninformed of.
Google has since responded, issuing a statement that said the company was “studying the decision to determine our next steps.”
“People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR,” Google said.
Estelle Massé, member of the advocacy group Access Now was quoted by the Washington Post: “Google is not the only one doing this,” and likened the $57-million fine to a warning shot across the bow for other tech companies that engage in similar practices.
“This is significant for Google as a company but also for other actors”
In an Australian context, we can see that geography won’t excuse companies from failing to fall in line with the GDPR legislation. According to the Office of the Australian Information Commissioner, “Australian businesses of any size may need to comply if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.”
“The GDPR and the Australian Privacy Act 1988 share many common requirements, including to:
-implement a privacy by design approach to compliance.
-be able to demonstrate compliance with privacy principles and obligations.
-adopt transparent information handling practices.”
If an international enterprise - be it Australian, South African or Argentinian - does business with a European client, or engages in marketing techniques that monitor browsing habits of Europeans for marketing purposes, they’ll need to follow the GDPR’s requirements, or risk a similar fine.