Google Hit with Biggest Ever GDPR Fine

The biggest GDPR fine was recently issued by France’s National Data Protection Commission (CNIL) to Google  for multiple GDPR violations, the regulator recently announced. The fine? A whooping 50 million euros (about $57 million).

Two Types of GDPR Violations

First, CNIL found that Google provided information to users in a non-transparent way, saying, “The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions,” according to the CNIL.

Second, CNIL concluded that Google was not validly obtaining users’ permission for data processing and ads personalization purposes. The users’ consent, CNIL claims, “is not sufficiently informed,” and it’s “neither ‘specific’ nor ‘unambiguous’.”

Confirming Customer Sentiment

The CNIL’s findings echo what many users have felt when dealing with privacy settings of large online companies, such as Google and Facebook; essentially stating that while it may be possible to opt out of various ads personalization and data processing schemes, the process and settings are too convoluted for many users to understand. 

Major GDPR Benchmark

This fine is the first CNIL has imposed related to GDPR. It is not, however, the first time CNIL has fined Google for a privacy violation. In 2011, the regulator fined Google $141,000 for gathering data from private Wi-Fi networks while collecting Google Street View Imagery. And, in 2014, CNIL fined Google $200,000 for not being transparent enough about a privacy policy change.

“The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent,” CNIL said.

“Moreover, the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement”, CNIL continued.

Although GDPR only safeguards Europeans’ personal data, its impact is being felt worldwide. Technology giants such as Microsoft and Facebook have said they will apply GDPR’s principles worldwide. Many believe that the privacy law, over time, will cause privacy and data regulations around the world to offer greater protections.


Given that it is an EU regulation, many companies worldwide struggle to understand whether and how GDPR applies to them. Organizations must get familiar with GDPR and assess whether it applies to them and how to comply if it does.  For example, if you offer goods or services in Europe or even just process personal data of EU residents, then you’ll probably need to comply with GDPR and its requirements!

Print Friendly, PDF & Email