The number of data breaches reported since the introduction of GDPR and the Data Protection Act 2018 have increased more than fourfold to over 14,000. The number of complaints from the public have almost doubled to 41,000, but where are the eye-watering fines that would cripple most businesses?
The Information Commissioner’s Office stated that the fines were “coming soon” but added that the focus for the ICO was “to focus on how data protection law can help firms to get it right… rather than how they might be punished if they get it wrong”.
Whilst that may seem encouraging, it would appear to be simply a matter of time before the ICO being to turn these breaches and complaints into some hefty penalties. You only need to look across Europe to see how other regulators are dealing with their new powers.
In France, the CNIL is the ICO equivalent and they dealt with complaints by 2 separate French privacy rights groups (the complaints were lodged on 25 May 2018 – the day that GDPR came into effect) surrounding the personalisation of adverts by Google. Based upon your browsing, Google were creating profiles on each person and were tailoring the advertising on Google that the user would see when they opened up Google.
Lawful Basis for Processing
The complaints were that Google did not have a valid legal basis to process user data for ad personalisation, as mandated by the GDPR. CNIL also looked at the question of consent being provided by each of the users. In finding against Google, there were several key parts to the decision, which highlight the issues that UK companies will face when dealing with GDPR.
In relation to consent, Google suggested that there was enough information available to the users, contained within various documents, however CNIL decided that no clear and unequivocal consent had been obtained because “essential information” was “disseminated across several documents” and that “the relevant information is accessible after several steps only, implying sometimes up to five or six actions,”. Their finding was that “Users are not able to fully understand the extent of the processing operations carried out by Google.”
CNIL also looked at the arguments presented by Google that the users were given the opportunity to opt out the personalisation, however commented that as the option to personalise ads was “pre-ticked” when creating an account, this did not respect the GDPR rules.
The fine imposed by CNIL on Google was 50 million euros (£44m) and in their decision this was for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”.
In a statement, responding to this record fine, Google said: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.”
Whilst there might be a difference in how each regulator interprets GDPR, there is no doubt that these levels of fine will become relevant to the ICO in determining the level of fines to be imposed on UK companies.
If you are concerned about your own data security and data protection measures, or feel that a data audit might be a useful step in evaluating your risk, then feel free to contact our data protection team.
The information and opinions contained in this blog are for information only. They are not intended to constitute advice and should not be relied upon or considered as a replacement for advice. Before acting on any of the information contained in this blog, please seek specific advice from Gilson Gray.