CNIL, the French data protection watchdog, issued its first GDPR fine of $57 million to Google, claiming that they failed to comply with GDPR when new Android users set up a new phone and follow Android’s onboarding process.
The era of #GDPR enforcement is upon us ! #France @CNIL kicks it off. #Google hit with £44m GDPR fine over ads https://t.co/N4TaDSiUMz #GDPRCompliance #privacy #EUData #dataprotection #Datasecurity #compliance #cybersecurity #infosec
— damase (@damase) January 22, 2019
Experts Comments Below:
Anurag Kahol, CTO and Co-founder at Bitglass:
Jonathan Bensen, interim CISO at Balbix:
If CNIL wanted to take a step in the right direction, they should suggest Google change the language in its Terms of Service versus imposing a fine without offering a solution. While it is possible to run an Android phone without a Google account, it makes it almost unusable. The same argument can be made about iPhones and needing an account with Apple. You can run the phone without one, but it severely limits the capabilities of the device.”
Dr Guy Bunker, SVP of Products at Clearswift:
“For businesses now fearing the risk of substantial fines to their own organisations, the key to compliance centres on three aspects. People, processes and technology are vital areas that organisation’s need to review to gain visibility and control of critical data in order to comply with the GDPR. The board should be working together with middle management on their organisation’s GDPR compliance to maintain a clear understanding of the state of their organisation’s data security status.”
Fouad Khalil, Vice President of Compliance at SecurityScorecard:
This is the first large fine by a GDPR regulator. Given the fact that it was the French privacy watchdog (CNIL) that issued the fine is no surprise. CNIL is the only regulator that issued any kind of GDPR compliance guidance in an effort to shed light on compliance requirements. Even though Google’s European headquarters is based in Ireland, that did not stop GDPR watchdogs from transitioning the enforcement to France where it is considered to be more effective.
The regulator indicated that Google provided inadequate information to its consumers as well as had invalid consent for personal data use. This confirms how critical an accurate and up-to-date personal data inventory is. Organisations must ensure all data is properly identified, classified, processed, transmitted, consented for use and much more. Furthermore, point-in-time compliance does not cut it as continuous assurance (monitoring and auditing) is a must to ensure ongoing compliance.
In today’s world, managing privacy has become the norm as regulators, auditors and privacy rights groups are keeping a watchful eye. Slapping Google with such a large fine is only possible due to confirmed violations most surely reported by consumers and privacy rights groups. I suspect this will be the first of many to follow in 2019 as GDPR compliance is now in the enforcement phase.”
Matt Lock, Director of Sales Engineering at Varonis:
Javvad Malik, Security Advocate at AlienVault:
The fine can be summed up into a lack of transparency. Companies need to be transparent and clear with its users as to what data it is capturing and for what purposes. In this case, CNIL has decided that Google was neither transparent, nor clear with users – resulting in users making misinformed choices.
Customer data of all sorts, whether that be PII, or even metadata should be considered carefully by companies. Before storing or processing information about customers, companies should ask themselves two questions. First, what purpose the data is being used for and for how long, and secondly, have the users truly given informed consent – if the answer to either is unclear, then they should not go ahead with it.”
Matt Walmsley, EMEA Director at Vectra:
User experience and clarity in terms and conditions have been used to remind us that data management and use are just as important as data security within GDPR. I’d expect Google to challenge the ruling, and we may see the conclusion produce an important test in law that will bring clarity around GDPR implementation for others.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.