French data regulator, CNIL have fined Google 50 million euros (£44 million) for breaching the new EU data law (General Data Protection Regulation)

Two privacy rights groups filed complaints against Google. The first being on 25th May 2018, which is the day the GDPR legislation came into force. They claimed that Google did not have the required legal basis for processing personal user data, with regards to its ad personalisations.

CNIL (the French data regulator) were assigned the investigation, despite Google headquarters being based in Ireland.

What did the investigation find?

CNIL said it had levied the record fine for "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation". The regulator said that "Users are not able to fully understand the extent of the processing operations carried out by Google." They had not obtained clear consent to process data because "essential information" was "disseminated across several documents".

As well as this, CNIL found that Google had not obtained a valid legal basis for processing the user data, saying that "the information on processing operations for the ads personalisation is diluted in several documents", and that users were presented with pre-ticked boxes when creating an account, which is another direct violation of the GDPR.

The regulator said in a statement "The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR — transparency, information and consent.”

Googles Response

A statement issued by Google said  "People expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of the GDPR."

Unfortunately for Google, this is not the first multi-million pound fine they have been issued with, but it does set the precedent for the consequences of disregarding the General Data Protection Regulation (GDPR).