Google has a poor record on GDPR requirements. And in fact, common themes among the issues that they have are undisclosed secondary uses and unreasonable data retention.
Is that true? From what I can find the total amount of their fines is not more than $100M, which is less than I would expect given their size if they were conducting willful ongoing violations. And neither of the two biggest cases involved willful data retention like this: one was about cookie consent and one was about right to be forgotten.
Fine amount is a poor measure of compliance, for a few reasons. First, European regulators prefer nudges and strong words before fines. Second, Google is incorporated in Ireland and the Irish regulator is clearly and blatantly sandbagging enforcement against US companies. The fact that they get fined at all is actually pretty damning: France had to twist and wiggle to be able to fine them without involving Ireland, and part of that was limiting the scope of the violations to things touched on by related laws, which is why the fine only covers cookie consent (governed by ePD).
However, several DPAs and local governments have reviewed Google software for their own GDPR compliance. Several of those findings are available online. These findings don't result in fines, because it's not technically an investigation of Google. But it does involve a thorough investigation of the legal issues of using Google's services, and the results are illuminating.
For example, below is a link to a report the Dutch DPA complied on whether Dutch government agencies can use Google Workspace (formerly GSuite). The conclusion is that Google's privacy protection are catastrophically terribad (for a paid product!). It requires linking to a personal account, purposes of processing are not defined, there's definitely processing going on that's not covered by the contract, etc. Google's linking to personal data in a way that cannot be disabled by administrators means they are a Joint Controller instead of a Processor, and it's not possible for them to comply with various obligations because they're too vague about the purposes of processing.
Again, doesn't result in a fine, because they're not be investigated for violations. Someone is just asking "can we use a Google product?" But the results of that research indicate some deep structural problems.
Also that fine that France issued, where they somehow avoided invoking GDPR directly? Still the third-largest GPDR fine on record. So your expectations for fine amounts are a bit off.
