The GDPR went into effect on May 25, 2018. Thus far, this is the largest fine, but it will surely not be the last. The reasons for the fine were based on a violation of some very fundamental GDPR concepts:

1.)   In order for a data subject (user) to provide effective consent, the notice must be clear and plainly stated. The information was interspersed with other materials and spread over several pages. In this matter, the French agency CNIL found that data subjects did not necessarily understand that their consent was the legal basis for processing;

2.)   The data subjects (users) could also not understand the massive processing that Google would undertake over twenty processing purposes. A data subject is entitled to know the extent of the “massive and intrusive” processing undertaken, in this case that description was too vague.

These two concepts were the ones relied upon, however, it is reasonable to believe that other GDPR concepts and principles might also have been violated as well. While it is important to obtain a data subject (user) consent in a transparent manner, that generally means defining what data you will process and for what specific purpose. In addition, the data subject (user)’s, consent should describe the intended audience and the duration of that processing; so the Data Subject who will have exposure to their data and what purposes before they provide their consent. The ambiguity of the data subject’s consent was therefore not the only problem with Google’s consent, many of these prongs could have been relied upon in supporting that GDPR Consent Violation. Equally as important as knowing what you are consenting to, it is the duty of the controller, Google in this case, to provide the data subject (user) with a simple and clear right to rescind their consent. While that was not discussed in the surrounding news article, even if consent were effective, it would appear they failed to provide an adequate withdrawal function required in proper GDPR consents.

The second element that they relied upon in this finding was an inadequate explanation of the extent of Google “massive and intrusive” processing. One of the core concepts behind GDPR is “Data Minimization” which means only using the smallest amount of data, for the specific noted purpose and only for the shortest period of time; i.e. to be deleted thereafter. Conceptually it would appear the French authorities found this consent was structured as more of a blank check with no boundaries on what was being processed, for what specific purposes, or over what period of time. So, the data subject (user)’s consent was not clear, nor did they adequately disclose in a clear and transparent manner that the data would be used for over twenty different purposes.

The point is, there were many avenues open to French authorities to pursue this complaint, the two claims that they mentioned were just a part of the broader GDPR violation.