France hits Google with 50 million euro data consent fine

Adjust Comment Print

In a statement, the agency slammed the Chocolate Factory for a lack of transparency, and said that users weren't able to understand the extent of Google's "massive and intrusive" data processing.

Stemming from an investigation that began in May - the day after Europe's strict new data privacy rules known as GDPR went into effect - France's data protection authority has announced a $57 million fine against Google in the first such GDPR penalty levied against a USA technology company.

Europe's new rules, as the Washington Post pointed out, "have set a global standard that has forced Google and its tech peers in Silicon Valley to rethink their data-collection practices or risk sky-high fines".

"The purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes", the CNIL added.

Around 10,000 people signed the initial petition to initiate an investigation, which was filed by France's Quadrature du Net group and None Of Your Business, an NGO which advocates for consumer privacy.

France's digital privacy watchdog, the National Data Protection Commission (CNIL), charges that although Google took some steps to comply with GDPR, it still fails to make data processing information "easily accessible for users" and does not validly obtain consent for showing users personalized ads.

The first complaint under the EU's new general data protection regulation (GDPR) was filed on 25 May 2018, the day the legislation took effect.

In 2018, Google faced a much larger, record US$5 billion fine for stifling competitors on Android, its smartphone operating system.

In a statement obtained by ABC News, a Google spokesperson said the company is "studying the decision" to determine its next steps. However, the GDPR provides that the consent is "specific" only if it is given distinctly for each objective.

They said Google had made it too hard for users to understand and manage preferences on how their personal information is used, in particular with regards to targeted advertising.

Secondly, even though Google says that it asks for its users' consent before processing data meant for ads personalization, CNIL's restricted committee found that is not the case given that users are not sufficiently informed during this process and the consent is neither "specific" nor "unambiguous", as required by the GDPR. Companies that violate the legislation may be fined up to 20 million euros or 4 percent of their annual turnover. "It is important that the authorities make it clear that simply claiming to be compliant is not enough", he said.

The French watchdog also noted that Google continues to engage in several of these illegal practices, meaning that they are part of a pattern of systemic GDPR violation rather than one-off offenses.