The French data protection watchdog CNIL has fined Google a record €50m (£44m) for failing to provide users with transparent and understandable information on its data use policies.
For the first time, the company was fined using new terms laid out in the pan-European general data protection regulation. The maximum fine for large companies under the new law is 4% of annual turnover, meaning the theoretical maximum fine for Google is almost €4bn.
The fine was levied, CNIL said, because Google made it too difficult for users to find essential information, “such as the data-processing purposes, the data storage periods or the categories of personal data used for the ads personalisation”, by splitting them across multiple documents, help pages and settings screens.
That lack of clarity meant that users were effectively unable to exercise their right to opt out of data-processing for personalisation of ads.
Additionally, the watchdog found that even when user consent was collected, it did not meet the standards under GDPR that such consent be “specific” and “unambiguous”, since users were not asked specifically to opt in to ad targeting, but were asked simply to agree to Google’s terms and privacy policy en masse.
In a statement, Google said: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”
CNIL justified the large fine by noting that the violations were continuous, and still occurring. It added that Google’s violations were aggravated by the fact that “the economic model of the company is partly based on ads personalisation”, and that it was therefore “its utmost responsibility to comply” with GDPR.
Dr Lukasz Olejnik, an independent privacy researcher and adviser, said the ruling was the world’s largest data protection fine. “This is a milestone in privacy enforcement, and the history of privacy. The whole European Union should welcome the fine. It loudly announced the advent of GDPR decade,” he said.
The fine came about following complaints in May from two European pressure groups, None Of Your Business (Noyb) and La Quadrature du Net. Both groups accused Google, as well as a number of other large internet companies including Facebook, of not having a valid legal basis to process the personal data of users of its services, “particularly for ads personalisation purposes”.
At the time, Noyb, which is led by the Austrian privacy campaigner Max Schrems, argued that companies sought consent for advertising personalisation by offering a simple “take it or leave it” approach to the entire service, and said any such consent obtained should be considered invalid given the “powerful position these companies have”.
The fine comes a month after Italy’s competition regulator fined Facebook €10m for misleading its own users over data practices. The watchdog said Facebook wrongly emphasised the free nature of the service without informing users of the fact that their data would be used to generate a profit for the company.