In January 2019 the French Government – never slow to see an opportunity to levy fines, taxes and other impositions, levied a fine of €50 million through its French data protection authority on Google for violating the EU General Data Protection Regulation in France. This is the first French sanction against US tech giants for violation of the GDPR guidelines.
GDPR came into force on 25 May 2018 and regulates the European Union’s data protection and overhauls the European Union’s data protection. It establishes a uniform framework for data protection across the EU and regulates the way businesses process and manage personal data in order for citizens to recover control over the use of their personal data.
GDPR applies any business that processes personal data whether automated or manual, whether directly or on behalf of other parties and which is based in the EU or any foreign company which is offering goods and services to individuals within the EU. In short, GDPR applies to almost any country and company whose business is somehow linked to Europe.
What is personal data? Just about any piece of information that relates to an identified or identifiable individual: Name, address, location, income, banking information, health, religion, sexual orientation, race, political belief or Trade Union membership.
There is rarely action of a company in its everyday business activities that don’t include some data processing, collecting email address, consulting a database, sending promotional emails, posting pictures of people on social media etc. Now, of course, GDPR mandates that data collection be fair and transparent and for a specified and legitimate purpose based on the following grounds;
1. The consent of the concerned individual, 2. contractual obligation between the company and the individual, 3. provision to protect the vital interests of the individual and 4. to carry out a task that is in the public interest.
One of the major challenges to this regulation is to obtain the proper consent of each individual in order to collect and use such personal data. It should be freely given, specifically informed and without any ambiguity and by an affirmative act such as ticking a box or signing a form.
The French data regulator has fined Google for not being transparent about its policies, for failing to provide information retention provisions in some cases and for failing to obtain proper consent from users for personalized ads.
Of course, Google could have had it much worse – the maximum penalty under the GDPR is 4% of global revenue which in Google’s case is more than US$4 billion. Still, it shows that the EU authorities are starting to bite down. Compliance with GDPR is going to be one of the EU challenges for the following years, pushing EU and international companies dealing with the EU to comply with such regulations. Don’t hand over well-earned money by way of fines to France or any other EU country because you are in breach of GDPR. Do it right. Get a lawyer. Get OLN.