CNIL, the French data protection watchdog, issued its first GDPR fine of $57 million to Google, claiming that they failed to comply with GDPR when new Android users set up a new phone and follow Android’s onboarding process.
The era of #GDPR enforcement is upon us ! #France @CNIL kicks it off. #Google hit with £44m GDPR fine over ads https://t.co/N4TaDSiUMz #GDPRCompliance #privacy #EUData #dataprotection #Datasecurity #compliance #cybersecurity #infosec
— damase (@damase) January 22, 2019
Experts Comments Below:
Anurag Kahol, CTO and Co-founder at Bitglass:
“Google being fined for its noncompliance with GDPR will likely pave the way for penalties for other prolific companies that have not yet met the demands of the new law. Until this point, data protection authorities have been incredibly patient with companies – GDPR has been in full effect for nearly a year now. However, it seems this grace period is more or less passing. While Google may be able to absorb this financial penalty, other companies are likely not large or successful enough to do so. This instance should be a wakeup call for organizations everywhere to begin taking data privacy far more seriously.”
Jonathan Bensen, interim CISO at Balbix:
“CNIL’s decision to fine Google does not seem to be aimed towards solving the issue, but towards making money. Most people should be aware that if they want enhanced digital services, they must pay the price of giving some reasonable amount of privacy away.
If CNIL wanted to take a step in the right direction, they should suggest Google change the language in its Terms of Service versus imposing a fine without offering a solution. While it is possible to run an Android phone without a Google account, it makes it almost unusable. The same argument can be made about iPhones and needing an account with Apple. You can run the phone without one, but it severely limits the capabilities of the device.”
Dr Guy Bunker, SVP of Products at Clearswift:
“The key thing to take from this news is that this is a substantial fine in the name of GDPR. It’s nowhere near the maximum available fine, but it is enough to make organisations sit up and take note. It also shows that no organisation is above the law and the regulators will go after big names.
“For businesses now fearing the risk of substantial fines to their own organisations, the key to compliance centres on three aspects. People, processes and technology are vital areas that organisation’s need to review to gain visibility and control of critical data in order to comply with the GDPR. The board should be working together with middle management on their organisation’s GDPR compliance to maintain a clear understanding of the state of their organisation’s data security status.”
Fouad Khalil, Vice President of Compliance at SecurityScorecard:
“The new year is upon us as is GDPR enforcement and fines. Companies that have sat back and watched the privacy tidal wave hoping that it will miss them, should reconsider. As with any new regulation, most companies scramble to comply once they realise the ramifications are real!! We are learning that no one is beyond GDPR reach – Google was fined 50 million euros on January 21, 2019 due to people “not sufficiently informed” about how Google collected data to personalise advertising.
This is the first large fine by a GDPR regulator. Given the fact that it was the French privacy watchdog (CNIL) that issued the fine is no surprise. CNIL is the only regulator that issued any kind of GDPR compliance guidance in an effort to shed light on compliance requirements. Even though Google’s European headquarters is based in Ireland, that did not stop GDPR watchdogs from transitioning the enforcement to France where it is considered to be more effective.
The regulator indicated that Google provided inadequate information to its consumers as well as had invalid consent for personal data use. This confirms how critical an accurate and up-to-date personal data inventory is. Organisations must ensure all data is properly identified, classified, processed, transmitted, consented for use and much more. Furthermore, point-in-time compliance does not cut it as continuous assurance (monitoring and auditing) is a must to ensure ongoing compliance.
In today’s world, managing privacy has become the norm as regulators, auditors and privacy rights groups are keeping a watchful eye. Slapping Google with such a large fine is only possible due to confirmed violations most surely reported by consumers and privacy rights groups. I suspect this will be the first of many to follow in 2019 as GDPR compliance is now in the enforcement phase.”
Matt Lock, Director of Sales Engineering at Varonis:
“The new fine facing Google will quickly dispel any lingering doubts that the EU would go easy on companies found in violation of the GDPR. The news should be hitting companies like a cold shower. It’s not a stretch to say that a proverbial storm is gathering as privacy groups rally to their cause and seek to uphold major global companies as examples of lax privacy controls. The news should serve as an impetus to organisations that have yet to prioritise their GDPR compliance programs and hoped to simply fly under the radar– their luck may be running out soon.”
Javvad Malik, Security Advocate at AlienVault:
“This could be one of the first high profile tests of GDPR and how it pans out in the real world.
The fine can be summed up into a lack of transparency. Companies need to be transparent and clear with its users as to what data it is capturing and for what purposes. In this case, CNIL has decided that Google was neither transparent, nor clear with users – resulting in users making misinformed choices.
Customer data of all sorts, whether that be PII, or even metadata should be considered carefully by companies. Before storing or processing information about customers, companies should ask themselves two questions. First, what purpose the data is being used for and for how long, and secondly, have the users truly given informed consent – if the answer to either is unclear, then they should not go ahead with it.”
Matt Walmsley, EMEA Director at Vectra:
“And so CNIL, the French Supervisory Authority flexes its muscles and Google is the first big scalp for GDPR fines. Others will follow!
User experience and clarity in terms and conditions have been used to remind us that data management and use are just as important as data security within GDPR. I’d expect Google to challenge the ruling, and we may see the conclusion produce an important test in law that will bring clarity around GDPR implementation for others.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.