The National Data Protection Commission (CNIL), France’s data protection office, has imposed a fine of €50 million against Google LLC for breaching the European Union online data privacy rules. This is the first major case where a fine is being imposed under the EU’s stringent General Data Protection Regulation (GDPR) that came into force last year.
The French watchdog found the US search engine giant guilty of “lack of transparency, inadequate information, and lack of valid consent regarding ad personalisation.” This case stems from concerns that were raised over Google’s applied methods of collecting data, and the lack of clear options provided for the users to consent to personalised ads.
“The general structure of the information chosen by the company does not enable [it] to comply with the Regulation,” read a CNIL statement. “Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalisation, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information.”
The size of the fine was determined in reference to continuous violations and the extensive revenues Google is generating from advertising. According to the new legislation, the highest GDPR fines can reach up to four percent of a company’s annual turnover for serious offences.
In response to the given penalty, Google affirmed that it takes user privacy extremely seriously by issuing the following statement: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”
The case was filed with the CNIL by two European non-profit organizations supporting data protection policies, La Quadrature du Net in France, and None of Your Business (NYOB) in Austria.
Max Schrems, NYOB’s privacy activist, said in a statement: “We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law. Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”