Lack of transparency and control leads to 50m Euro fine

As the title suggests, transparency and control appear to be the issues at the heart of what is now the largest fine imposed by an EU regulator under the GDPR. 

Transparency refers to the information provided to data subjects (users, customers, consumers, etc.) on how and why their personal data is collected, used and shared - usually provided through a privacy notice. Control speaks to the ability of those data subjects to affect how the information is used (or indeed prevent its use). 

The French data protection regulator (CNIL) took the view that providing "generic" information spread over several pages did not fulfil Google's GDPR obligations and that its users were therefore unable to understand or control how their personal data was being used over the many Google platforms. 

CNIL went further in stating that Google is still failing to provide the relevant information or control, leaving the door open for further fines if Google does not rectify the deficiencies highlighted.

Whilst it was always suspected that data heavy companies such as Google, Facebook and Amazon would be some of the first to come under the regulators' scrutiny (Google is currently engaged with GDPR investigations in seven EU countries), the size of the fine (whilst actually only representing a fraction of the potential amount Google could have been fined) has caught many commentators by surprise. 

It serves as a timely warning to ensure that privacy notices (often, generic documents copied and pasted from the Internet) do actually reflect an organisation's data processing activities and that companies are capable of responding to data subject requests if and when they are received. Understanding what personal data an organisation collects, why and how, is key to then providing this information on to data subjects and ensuring compliance with the GDPR.