French data protection officers are messing with the big ones: the French data protection authority "Commission Nationale de l'Informatique et des Libertés" (CNIL) has fined Google 50 million euros. The reason: Google LLC has violated the European Data Protection Regulation (GDPR). This is not because user data has been stolen, but because the company is not transparent enough when it comes to information about the use of personal data. The high fine was justified by Google's market dominance and the company's lack of insight.
According to the French data protection authority, the information for data processing purposes, the retention periods and the categories of personal data used to personalise advertisements are too complex. Users must first work through several documents and click on various links to access the information they require. In addition, there is no effective consent from users to the use of their data for advertising purposes; the settings for displaying personalised advertising are already pre-filled and so cleverly hidden that hardly anyone will find them. Incidentally, it is not possible to object to Google's data collection if you wish to use the service. The fine was imposed in response to complaints from the French organisation "La Quadrature du Net" and the Austrian organisation "None of your business" (noyb).
The timing of the penalty on January 21st was no coincidence: in December, Google announced that, from January 22nd, Google's Irish subsidiary and no longer its US headquarters would be responsible for processing EU citizens' data. A smart move: because the Irish data security authority is well-known for its lax penetration. No wonder, since other companies such as Facebook, Twitter, Apple, Microsoft, Amazon or ebay have also settled there alongside Google. It is unlikely that the Irish authorities want to upset the global players. So it's very convenient for these companies that EU regulations state that the data protection authority of the country in which the company's headquarters are located is responsible. All other data protection authorities must now coordinate with the Irish data protection authority in the event of complaints against them. So we will see if more fines follow and how high they are. There will certainly be enough complaints.
Because even if there was no data leak in the case of Google, the question remains: How secure are all the data that Google collects about users actually? Ultimately, one thing is clear: nobody can prevent data from being stolen, but data encryption can ensure that nobody can do anything with the data. However, encryption is not the same as encryption. Cloud providers always say that they encrypt using state-of-the-art technology. This usually refers to "SSL", which you know by the lock in the browser next to the address line. However, this is only a so-called transport encryption. This means that the browser encrypts the data and the cloud provider then decrypts it completely. If it is done correctly, this is protection against spying during the transport of the data at best - but the cloud provider still has access to all information at all times. If the provider is hacked, attackers can also access the data.
So Google, Facebook and others, what else needs to happen to make companies aware of their responsibility in handling personal data?