Google intends to appeal the decision. The result of the appeal will impact how consent is interpreted under the GDPR and set a powerful precedent for the tech industry.
CNIL found that Google lacked transparency on how user data was processed and stored. Information regarding data processing was not easily accessible: it was spread over different pages and documents. This effectively hid the extent of Google's data processing and the conditions surrounding the data.
This decision highlights the importance to New Zealand businesses that have data processing activities in the European Union of making sure they are complying with the GDPR. Otherwise, large companies can face maximum fines of 4% of their annual global turnover (meaning for Google, it could have been almost €4bn) or €20m, whichever is higher.
Google also failed to satisfy the GDPR's requirement of consent being 'specific' and 'unambiguous'. Under the GDPR, consent must be obtained for each purpose the data will be used for, e.g. personalisation of ads or speech recognition.
Because Google's main source of revenue is from ad personalisation, the CNIL saw this as a serious violation. The fine also reflected the continuous and still occurring violations by Google under the GDPR.
The enforcement action taken by the French regulator follows a global trend of increasing scrutiny of companies that derive significant value out of personal information. New Zealand businesses should also take on board that obtaining a general consent to use customer data is no longer good enough – consent must be specific and the processing of data must be legitimate. New Zealand businesses that deal with EU citizens’ data are still captured by the GDPR.
Dr Lukasz Olejnik, an independent privacy researcher and adviser, said the ruling was the world’s largest data protection fine. “This is a milestone in privacy enforcement, and the history of privacy. The whole European Union should welcome the fine. It loudly announced the advent of GDPR decade,” he said.