ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

The Privacy Guardians of GDPR Make Violations Expensive

Updated on February 3, 2021
saisreesub profile image

A bibliophile and technology enthusiast with a previous career in IT.

The First Six Months of GDPR

In May 2018, the General Data Protection Regulation (GDPR) came into effect in the EU after having been a work in progress for over two years. It was eagerly awaited as the first formal guardian of the common citizen’s right to privacy – a commodity that has completely vanished over time. Zealous guardians of privacy rights like NOYB (rather aptly standing for None of Your Business) have been raising complaints against the big internet players almost immediately. Subsequently, there has been a waiting period to determine how the regulators react as well as how the internet empire redefines itself. Most of the players self-certify themselves as committed to privacy protection as well as stating full compliance to GDPR. It had been predicted that the regulators were providing a six month leeway, to allow for appropriate compliance efforts and January of 2019 has seen the first attention-grabbing GDPR non-compliance penalty of significant value being announced against one of the biggest internet companies.

Google Non-compliance Investigation

The National Data Protection Commission of France (CNIL) received two complaints regarding GDPR non-compliance by Google LLC:

  1. 25 May 2018: Noyb raised a complaint on behalf of specific users of the Android mobile phones that questioned the legality of requiring a Google account and associated personal profile information, necessitating the acceptance of the Google privacy policy in order to get started with the initial configuration and use of the mobile phone.

  2. 28 May 2018: LDQN (La Quadrature Du Net) questioned the legal basis of implementing the processing of personal data for behavior analysis and targeted advertising.

CNIL had immediately started its investigation process as per the standards laid down in GDPR and eventually laid down a fine in January 2019. Google has already announced intentions of raising an appeal against the ruling.

Google Investigation Timeline

The timeline evidences that CNIL performed an in-depth analysis of the complaints, following due procedure with early intimation to Google and reviewing their responses.

Main Findings of the Investigation

CNIL determined shortcomings in Google’s personal information collection and processing on two fronts – insufficient information provided to the user and invalid consent for personal data use. The text of the full report has been published (in French) as well as a summarized press-release (in English).

Failure to Comply with Transparency and Information Obligations

Information provided by Google to users does not meet the requirements of accessibility, clarity and comprehension (Article 12) and mandatory information (Article 13) is not provided adequately. The main issue determined was that the architecture of the information provided was not providing enough clarity with the information on how the user data was being used spread across different pages such as “Rules of confidentiality and conditions of use", "Conditions of use "and" Privacy Policy " and all of these requiring multiple clicks with requests for more information. The onus of piecing together the information and comprehending the full extent of data usage by Google is on the user.

An example was provided for the advertising personalization process – listing the pages that the user has to click through in order to determine how personal information was being handled and demonstrating that this was cumbersome for the average user.

Further, accessing information on personal data retention period was also demonstrated as difficult requiring multiple actions, further obfuscated with a choice of non-explicit titles. There are four categories of retention periods:

  • Information retained until you delete it
  • Information with a timeout
  • Information retained until you delete your Google Account
  • Information kept for long periods of time for specific reasons

The information on the last category was considered inadequate, with only very general explanations of the purpose of this retention provided and no precise duration or the criteria used to determine that duration indicated.

Additionally the volume of data collected from the user in different categories was reviewed

  • data "produced" by the person (for example, his name, password, phone number, email address, means of payment, content created, imported or received, such as writings, photos or videos) ;
  • data generated by user activity (for example, IP address, unique user credentials, mobile network data, data related to wireless networks and Bluetooth devices, timestamp of actions performed, data geo-location, the technical data of the devices used including data relating to the sensors (accelerometer, etc.), the videos viewed, the searches made, the browsing history, the purchases, the applications used, etc .;
  • derived or inferred data from the data provided by that person or his activity.

The intrusive nature of this significant volume of data collection, combined with lack of clarity on how the data is used to provide a personalized experience led to the conclusion that the information provided by Google does not allow users to understand sufficiently the particular consequences of the treatment of their personal information. As such, Google uses user consent as the basis of providing personalized advertising, however, CNIL concluded that the user does not fully understand the ramifications of the data collection and analysis under the consent framework.

Further, information on the usage of the data is to be made available from the beginning of the processing cycle under GDPR. The summary report on account creation provides a very high-level information and was considered insufficient for the information requirements.

Failure to Provide a Legal Basis for the Processing

While Google reaffirms that user consent is the main hallmark of its advertisement personalization, the legality of the consent in the absence of clarity of purpose (article 6 and article 7) is questionable.

As in the case of information requirements, the multiplicity of documents to be referred and the lack of clarity on the type and nature of use of the personal data across multiple Google applications was illustrated.

Further, consent requires to be provided via affirmative user action and cannot be bundled. As such, default ticking of check-boxes and combining multiple purposes (ie) applications into a single consent are both prevalent contravening recitals 32 and 43 of GDPR. The customization of advertisements is to be done under an optional menu which defaults to acceptance and hence does not require specific affirmative action from the user, thereby rendering the consent illegal as it is neither specific nor unambiguous.

Penalty Levied

Taking into account the serious nature of the breach (violation of information requirements and consent), as well the large customer base for Android phones in France and considering the fact that Google has multiple applications offered to a single user resulting in extensive processing of user data and subsequent advertising revenue generation, a penalty of 50 million Euros has been levied. Although this is the first large penalty under GDPR, it is actually not the maximum that could have been levied (4% of revenues) under Article 83.

Other GDPR Violations Reported until early 2019

While this is the first large GDPR penalty levied and against a prominent player, it is not the first penalty under GDPR. Some of the previously published penalties include:

  1. The Austrian Data Protection Authority (DSB) fined an entrepreneur Euro 4800 for installing a CCTV in front of the establishment that covered a large portion of the public sidewalk. This violates transparency obligations as the public users of the sidewalk have not consented to being video-graphed.
  2. The Portuguese Data Protection Authority (CNPD) fined the Barreiro hospital Euro 400000 for violating principles of integrity and confidentiality, data minimization in order to limit access to patients 'clinical data, and the controllers' inability to secure the confidentiality and integrity of the data in their system.
  3. The State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI) fined (a social media company) Euro 20000 for violating data security by storing passwords in plain text. The early reporting of the breach by the data controller and full co-operation provided to LfDI was quoted as being responsible for the low quantum of fine.

Other reported data breaches that could be candidates for future penalties under GDPR include the British Airways customer data breach where hackers used cross-site scripting to steal personal and financial information of customers as well as the Facebook access token breach where code vulnerabilities allowed potential profile access to hackers.

One of the side-effects of GDPR is that breach reporting is being done earlier, especially when EU customer data is involved in order to comply with Article 33 that requires breaches to be notified within 72 hours.

In Conclusion

Early enforcement experience with GDPR indicates that the European regulators are taking user privacy and personal information security very seriously and are penalizing both small and large companies (including global corporations) for proven violations. With these companies using their appellate rights, the investigation and final conclusion of the cases can get extended, however, the general European public can now put their faith in the fact that complaints can be registered and processed by their country regulators. It remains to be seen whether this eventually leads to a change in the internet economy where personal information is one of the most actively traded commodities. Analysis of the early enforcement also help companies understand how different regulators interpret the various articles and recitals of GDPR and can be used to audit existing privacy protection features for sufficiency.

The European Union has received 95000 complaints under GDPR as of January 2019, although five EU countries are yet to complete adoption of GDPR.

Note: The facts of the investigation discussed in this article have been translated from the original French using free internet tools. The author would be happy to correct any discrepancies in facts that arise due to such translation.

© 2019 Saisree Subramanian


This website uses cookies

As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

Show Details
HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
LoginThis is necessary to sign in to the HubPages Service.
Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
AkismetThis is used to detect comment spam. (Privacy Policy)
HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
MavenThis supports the Maven widget and search functionality. (Privacy Policy)
Google AdSenseThis is an ad network. (Privacy Policy)
Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
Index ExchangeThis is an ad network. (Privacy Policy)
SovrnThis is an ad network. (Privacy Policy)
Facebook AdsThis is an ad network. (Privacy Policy)
Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
AppNexusThis is an ad network. (Privacy Policy)
OpenxThis is an ad network. (Privacy Policy)
Rubicon ProjectThis is an ad network. (Privacy Policy)
TripleLiftThis is an ad network. (Privacy Policy)
Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
ClickscoThis is a data management platform studying reader behavior (Privacy Policy)