This weekend, Google was fined 50 million euros (over $55 million) by France’s Data Privacy Authority, CNIL, for breaching Europe’s (fairly) new General Data Protection Regulation.
GDPR lays the framework for the legal processing of personal data, requiring that companies have a lawful basis for processing a user’s personal information. This lawful basis can result from the user’s genuine consent prior to collecting personal information; processing necessary for the performance of a contract, compliance with a legal obligation, to protect the vital interests of a data subject or natural person, for the performance of a task in the public’s interest, or for the purpose of the legitimate interests of a controller or third party.
The GDPR went into effect on May 25, 2018. Shortly after its enactment, two privacy rights groups, noyb (Max Schrems’ brainchild) and La Quadrature du Net (LQDN) filed complaints against Google with the CNIL. The noyb complaint was filed on May 25, the same day the Regulation took effect.
According to the CNIL, Google did not obtain sufficient user’s consent prior to collecting information for the purpose of showing personalized ads. The CNIL also concluded that Google failed to properly disclose to users how their personal information is collected by the company, and how it is used. The French privacy regulator found issues with a variety of Google’s practices such as placing information regarding data processing purposes, data storage periods, or the categories of personal data used for ad personalization in locations “excessively disseminated” across various documents and requiring the user to follow many different links; the lack of clarity (read: transparency) of the explanatory materials provided to users; requiring users to accept all terms and conditions in order to create accounts, the alternative to which would be not to use any of Google’s many services at all; and burying the options to change settings for ads personalization, as well as pre-ticking the box to allow it. As a result, the CNIL found that the legal basis for processing personal data was unclear, was not necessarily for the legitimate interest of the company, and that any consent provided by users was not obtained pursuant to the requirements under the GDPR.
This 50 million euro fine is the largest to be issued not only under the GDPR, but by any European regulator. However, things could have been much worse for the Andriod creators, as GDPR allows for fines up to 4% of a company’s annual global turnover, which could have resulted in a fine in the billions.
Google has responded to the fine stating that it is “studying the decision to determine our next steps,” and that “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.” Google plans to appeal against the fine, stating it “worked hard to create a GDPR consent process for personalized ads that is as transparent and straightforward as possible.”