The French data protection authority CNIL has imposed a record €50 million (£44 million) fine on Google for violating the EU’s GDPR data protection rules.
CNIL cited “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation” in justifying the fine.
The financial penalty follows group complaints from the privacy associations None Of Your Business (NOYB) and La Quadrature du Net (LQDN). The submissions were spearheaded by claims that Google does not have a valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purposes.
Despite Google’s claims that it obtains user consent to process data for ad targeting, CNIL concluded that consent is not validly obtained:
“First, the restricted committee observes that the users’ consent is not sufficiently informed. The information on processing operations for the ads personalisation is diluted in several documents and does not enable the user to be aware of their extent.
“Then, the restricted committee observes that the collected consent is neither ‘specific’ nor ‘unambiguous’.”
GDPR regulations deem consent unambiguous only when “clear affirmative action” is given distinctly for each purpose – making Google’s general ‘I agree to everything’ consent forms a non-starter.
Clear as mud
CNIL also found that Google is falling short when it comes to making information – such as data processing purposes, the data storage periods or the categories of personal data used for the ads personalisation – easily accessible to users.
The means for accessing such information is convoluted – often requiring five or six actions – and the vast number of services offered by Google makes descriptions of the company’s purposes of processing and data categories “too generic and vague”.
Max Schrems, Chairman of initial complainant NOYB, commented:
“We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law.
Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.
Internet of Business says
The claimed breaches of GDPR regulations by Google are not limited, one-off infringements but ongoing violations still observable on Google’s services.
This is reflected in the imposed fine, as is the ubiquity of many of Google’s services throughout France.
Meanwhile, Google has stated that it is “studying the decision” before taking any action.
The penalty comes at a time when Big Tech companies are being placed under greater scrutiny, and data privacy laws introduced in Europe are finding similar form in the US.
This mirrors political activity in France, and more widely in the EU, that looks set to force international tech companies to pay local taxation based on where the end customers are, rather than the countries through which revenue is funnelled.
NOYB, who played a key role in CNIL investigating Google’s data handling procedures, filed 10 strategic complaints against eight streaming services last week. The list includes Amazon Prime, Apple Music, DAZN, Flimmit, Netflix, SoundCloud, Spotify and YouTube.
The filings relate to the companies’ claimed failings when it comes to abiding by GDPR’s new ‘right to access’ regulations, which allow users the right to obtain a copy of the raw data that a company holds on them. This data must be easily parsed by both humans and machines.
Alongside this, companies must share information about the sources and recipients of the data, the purpose for which the data is processed, or information about the countries in which the data is stored and for how long.
NOYB’s findings imply many streaming services are falling well short of GDPR requirements:
Should NOYB’s complaints gain traction, as their claims against Google did, the streaming companies may face large fines and the sort of public, data privacy scrutiny Facebook will be happy to share around.