This weekend, Google was fined 50 million euros (over $55 million) by France’s Data Privacy Authority, CNIL, for breaching Europe’s (fairly) new General Data Protection Regulation.
GDPR lays the framework for the legal processing of personal data, requiring that companies have a lawful basis for processing a user’s personal information. This lawful basis can result from the user’s genuine consent prior to collecting personal information; processing necessary for the performance of a contract, compliance with a legal obligation, to protect the vital interests of a data subject or natural person, for the performance of a task in the public’s interest, or for the purpose of the legitimate interests of a controller or third party.
The GDPR went into effect on May 25, 2018. Shortly after its enactment, two privacy rights groups, noyb (Max Schrems’ brainchild) and La Quadrature du Net (LQDN) filed complaints against Google with the CNIL. The noyb complaint was filed on May 25, the same day the Regulation took effect.