€50m Penalty Highlights Strict Application of GDPR.
When it was introduced in May 2018, Europe’s General Data Protection Regulation (GDPR) set what many see as a new gold standard for data privacy. A wide-ranging piece of legislation, the GDPR sets out seven key principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
Compliance with these principles is deemed to be the foundation of any best-practice data governance policy. As such, a failure to comply with these principles could result in a significant financial penalty.
In the past, penalties for poor data governance have not been especially severe, so haven’t acted as much of an incentive to adopt best-practice. Under the GDPR that appears to have changed. Just ask Google.
Google is the second major tech firm (after Facebook) to be fined for poor data practices in recent months. Google was hit with a €50million fine by the French data protection watchdog CNIL, under the auspices of the GDPR.
The fine follows two complaints that Google failed to meet the acceptable standards of transparency laid down by the GDPR. The complaints were based on users’ inability to easily locate details of the categories, processing purpose and storage duration of data used to personalise Google Ads.
Although the breach is one of principle, rather than negligence, the penalty is significant. Granted, €50million is a drop in the ocean for Google (under the GDPR regulations, they could be fined up to 4% of global turnover, around €4billion) but it sends a message that the GDPR has teeth and its bite is just as effective as its bark.
The effectiveness of the GDPR has not gone unnoticed by other governments. In Australia, the Senate has begun to ask for GDPR-style data privacy and security laws to replace what some cyber-security experts have criticised as being “weak and ineffective”.