France's Commission nationale de l'informatique et des libertés (CNIL) has fined Google €57 million under the EU General Data Protection Regulation (GDPR), which came into effect in 2018.
CNIL, in charge of data privacy in France, says Google failed to fully disclose how personal information from users is collected and ultimately what happens to it. Google, according to reports, also did not obtain user consent to display advertisement personalized by the search engine. CNIL said:
"The infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations."
One of the issues identified by CNIL is that user information and permissions are "excessively disseminated across several documents."
The investigation into Google began at the same time GDPR was passed into law, when concerns were raised by privacy groups representing 10,000 individuals.
Google has responded by saying it is "studying the decision" before taking steps, and that "[p]eople expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of the GDPR."
For Google, CNIL's current case is about the clarity of data use and permissions. Blockchain technology may pose both a solution for GDPR – in the form of permission transparency – and a challenge, as blockchain networks can disseminate data freely across geographical borders.
Blockchain's ability to provide an immutable record, accessed in real time by any approved stakeholder, could pave the way for technology users to control all their accounts and privacy settings in a single place, only sharing the information needed to access a service when required.
The challenge for blockchain and GDPR is blockchain's decentralized nature. Rather than using a central data server, a blockchain ledger is shared across many participating nodes. These nodes, or computers, can be located anywhere in the world, meaning that user data crosses borders, however encrypted it may be.
GDPR also allows for individual data owners to request that their data be removed or deleted; they have a "right to be forgotten." Yet once data is cryptographically encrypted, or hashed, to a blockchain, it's a permanent factor in the entire database.
This particular case involving Google does not address the issue of where data is stored. A prospective GDPR case concerning the location of user data and whether it travels across borders may eventually set a precedent for blockchain's relationship with the new European data privacy laws. With some calling for the US to set a similar standard, privacy compliance is set to become a global issue.
Correction: The original version of this article stated that Google had been fined $57 million. The correct figure is €57 million.