Google has copped a near-$80 million (50 million euros) fine from French authorities, making it the first major tech company to run foul of Europe’s tough new data protection rules.
In imposing the fine, France’s top data-privacy agency, the Commission Nationale de l'Informatique et des Libertés (CNIL), ruled that tech titan Google had violated the European Union’s General Data Protection Regulation in two ways.
CNIL found that Google violated the obligations of transparency and information in the collection and use of user data, and the obligation to have a legal basis for ads personalisation processing.
The severity of the fine is justified by the seriousness of the breaches and the fact it “is not a one-off, time-limited, infringement”, the agency said.
“This is the first time that the CNIL applies the new sanction limits provided by the GDPR,” the agency said in a statement.
“The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.”
According to the French data agency, the information Google provides to users on the use of their data is “not easily accessible”.
“Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalisation, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information,” it said.
Some of the information provided by Google is also “not always clear nor comprehensive”, and the purposes provided for data processing are described in a “too generic and vague manner”.
The CNIL also ruled that Google does not validly obtain the consent of users for ads personalisation processing because they are “not sufficiently informed”. It said that the information provided by Google for ads personalisation is “diluted” and “does not enable the user to be aware of their extent”.
While the agency acknowledged that Google users can modify some options and change the display of personalised ads, it said that the ads personalisation options is pre-ticked as a default, and a user has to agree to Google’s terms of services in full, when they should have to give consent distinctly for each purpose.
These dual infringements “deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations”, the CNIL said.
The GDPR came into effect in May last year, and the CNIL opened its investigation into Google on the same day. It has also filed complaints against fellow tech giant Facebook.
The GDPR is a global data protection and security standard that is making ripples around the world, and changing the way that tech companies approach big data. The GDPR requires a platform to give users a full and clear picture of the data that is collected on them, and a simple way for users to give full and informed consent to the collection and use of their data.
While Australia does not have equivalent protections to the GDPR, local regulators are taking steps to curtail the market powers of Google and the company’s use of personal data.
The Australian Competition and Consumer Commission (ACCC) released its draft report as part of its inquiry into digital platforms in December last year, recommending new anti-monopoly methods, and ways to prevent “default bias”.