This is the first time that the CNIL applies the new sanction limits provided by the GDPR. The amount decided and the publicity of the fine are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.
Here are some reactions Help Net Security received.
Fouad Khalil, VP of Compliance, SecurityScorecard
The new year is upon us as is GDPR enforcement and fines. Companies that have sat back and watched the privacy tidal wave hoping that it will miss them, should reconsider. As with any new regulation, most companies scramble to comply once they realise the ramifications are real!! We are learning that no one is beyond GDPR reach – Google was fined 50 million euros on January 21, 2019 due to people “not sufficiently informed” about how Google collected data to personalise advertising.
This is the first large fine by a GDPR regulator. Given the fact that it was the French privacy watchdog that issued the fine is no surprise. CNIL is the only regulator that issued any kind of GDPR compliance guidance in an effort to shed light on compliance requirements. Even though Google’s European headquarters is based in Ireland, that did not stop GDPR watchdogs from transitioning the enforcement to France where it is considered to be more effective.
The regulator indicated that Google provided inadequate information to its consumers as well as had invalid consent for personal data use. This confirms how critical an accurate and up-to-date personal data inventory is. Organisations must ensure all data is properly identified, classified, processed, transmitted, consented for use and much more. Furthermore, point-in-time compliance does not cut it as continuous assurance (monitoring and auditing) is a must to ensure ongoing compliance.
In today’s world, managing privacy has become the norm as regulators, auditors and privacy rights groups are keeping a watchful eye. Slapping Google with such a large fine is only possible due to confirmed violations most surely reported by consumers and privacy rights groups. I suspect this will be the first of many to follow in 2019 as GDPR compliance is now in the enforcement phase.
Ryan Kalember, SVP, Cybersecurity Strategy, Proofpoint
This GDPR fine brings to light some vital lessons for other businesses observing this crisis from a distance. By becoming the highest fined company since GDPR came into force, Google is now the black and white case study of ‘what could happen’ in the event of non-compliance. In a privacy-first world, companies must build a people-centric compliance strategy, which can only start by getting visibility into highly regulated data, the systems that process that data and identifying who within your business has access to that data.
Many organisations are still unsure whether their GDPR compliance strategy is 100 percent fit for purpose, but this incident signals that long gone are the days where privacy can be relegated to an IT or compliance effort: the magnitude of this fine clearly shows this is a business issue. Compliance professionals now have a use case to take to the board to secure any funding and resources they need to become GDPR compliant if their organisation isn’t today.
Anurag Kahol, CTO, Bitglass
Google being fined for its noncompliance with GDPR will likely pave the way for penalties for other prolific companies that have not yet met the demands of the new law. Until this point, data protection authorities have been incredibly patient with companies – GDPR has been in full effect for nearly a year now. However, it seems this grace period is more or less passing.
While Google may be able to absorb this financial penalty, other companies are likely not large or successful enough to do so. This instance should be a wakeup call for organizations everywhere to begin taking data privacy far more seriously.
Jonathan Bensen, interim CISO, Balbix
CNIL’s decision to fine Google does not seem to be aimed towards solving the issue, but towards making money. Most people should be aware that if they want enhanced digital services, they must pay the price of giving some reasonable amount of privacy away.
If CNIL wanted to take a step in the right direction, they should suggest Google change the language in its Terms of Service versus imposing a fine without offering a solution. While it is possible to run an Android phone without a Google account, it makes it almost unusable. The same argument can be made about iPhones and needing an account with Apple. You can run the phone without one, but it severely limits the capabilities of the device.
Matt Walmsley, EMEA Director, Vectra
And so CNIL, the French Supervisory Authority flexes its muscles and Google is the first big scalp for GDPR fines. Others will follow!
User experience and clarity in terms and conditions have been used to remind us that data management and use are just as important as data security within GDPR. I’d expect Google to challenge the ruling, and we may see the conclusion produce an important test in law that will bring clarity around GDPR implementation for others.