Google GDPR fine shows 'embarrassing' extent of how firms misuse people's data

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

Google has become the first tech giant to be hit with a record fine for breaching the EU's General Data Protection Regulation (GDPR). But experts warn the case is "just the tip of the iceberg".

The €50 million (£44m) fine issued by French regulator CNIL was triggered by complaints relating to how Google handled people's data, and as one of the biggest handlers and processors of people's data in the world it is not surprising that Google was the first to feel the financial consequences of breaching GDPR rules.

The amount was still way below the maximum fine allowed under the new rules, though perhaps more significant than the amount are the implications of the fine on the rest of the tech industry. Data experts warn other major tecnology firms will be next in line due to their lax approach to people's data, with Google's fine potentially representing a seminal moment for people's privacy.

“This decision goes way beyond Google. Indeed, companies like Facebook, Amazon, but also any companies with a similar business model based on the processing of personal data for targeted advertising could be sanctioned to high fines in the near future," said Sonia Cissé, a managing associate at London-based law firm Linklaters.

“More than just a significant amount of money, this sanction is particularly detrimental to Google as it directly challenges its business model and will, in all likelihood, require them to deeply modify their provision of services."

Google may have been the first major tech company to be hit with a fine but many more have been publicly accused of breaching GDPR rules. A wave of complaints against technology giants – including Amazon, Apple, Netflix and Spotify – have accused them of being in violation of Article 15 of GDPR, which requires them to respond to private citizen's data requests.

Research from cloud data firm Talend reveals that the scale stretches far beyond technology firms, with an estimated 74 per cent of UK organisations failing to address requests from individuals seeking to get hold of their personal data within the one-month specified time period. The research, which is based on personal data requests made to 23 companies based or operating in the UK, found that only 17 per cent of companies complied correctly with the requests, while a further 9 per cent gave incomplete or delayed responses.

Jean-Michel Franco, a senior director at Talend, describes the issue as "embarrassing" and refers to Article 15 as the "Achilles' Heel" of most organisations when it comes to complying with GDPR.

"The world has been on tenterhooks waiting for the first major fine to be enforced for a breach of the GDPR – and this week they got what they were waiting for," Mr Franco said. "There is a great deal of work to do in this area. A delay, or complete lack of a response, will only continue to damage free-falling consumer trust in how organisations store and organise their data."

The €50 million fine may not seem like a lot for a company the size of Google – last quarter alone Google's parent company Alphabet generated almost 600-times that amount in revenue – but much more severe fines could be imposed in the future.

The maximum amount that firms can be fined under GDPR is €20 million or 4 per cent of global turnover, whichever is larger. For the likes of Google, Amazon and Apple, this figure would stretch well into the billions.

"The penalty imposed on Google by the French regulator can be seen as a warning shot at the digital industry at large," said Ron Moscona, a partner at international law firm Dorsey & Whitney who focuses on privacy rights.

"Regulators can impose much higher penalties if they choose to. The indications are that after many years of under-enforcement, regulators in the EU are prepared to use GDPR and flex their muscles."