Google has been fined 50 million euros by the French data watchdog, CNIL for breaches under the General Data Protection Regulation (GDPR).

Google intends to appeal the decision. The result of the appeal will impact how consent is interpreted under the GDPR and set a powerful precedent for the tech industry. 

CNIL found that Google lacked transparency on how user data was processed and stored. Information regarding data processing was not easily accessible: it was spread over different pages and documents. This effectively hid the extent of Google's data processing and the conditions surrounding the data.

This decision highlights the importance to New Zealand businesses that have data processing activities in the European Union of making sure they are complying with the GDPR. Otherwise, large companies can face maximum fines of 4% of their annual global turnover (meaning for Google, it could have been almost €4bn) or €20m, whichever is higher. 

Google also failed to satisfy the GDPR's requirement of consent being 'specific' and 'unambiguous'. Under the GDPR, consent must be obtained for each purpose the data will be used for, e.g. personalisation of ads or speech recognition.

Instead, consent was obtained from users being asked to agree to Google's terms and privacy policy, rather than specifically asking users to 'opt in' for each use of their data.

Because Google's main source of revenue is from ad personalisation, the CNIL saw this as a serious violation. The fine also reflected the continuous and still occurring violations by Google under the GDPR. 

The enforcement action taken by the French regulator follows a global trend of increasing scrutiny of companies that derive significant value out of personal information. New Zealand businesses should also take on board that obtaining a general consent to use customer data is no longer good enough – consent must be specific and the processing of data must be legitimate. New Zealand businesses that deal with EU citizens’ data are still captured by the GDPR.