France’s data protection watchdog Commission Nationale de l'Informatique et des Libertés (CNIL) has fined Google a record €50 million (U.S. $57 million) for failing to provide users with transparent and understandable information on its data use policies.
It is the first time that CNIL has fined any company under Europe’s tough new data privacy law, the EU’s General Data Protection Regulation.
It is also the first time Google has been fined under GDPR (though it looks as if it will be the first of many), and it is the largest fine to date. While the sum is well short of the 4 percent of global revenues that an EU data regulator has in its power to impose, the fine is more than double the €20 million (U.S. $22.7 million) maximum fixed penalty, meaning that a calculation was based on turnover—an indication of how seriously the French regulator view’s Google’s misconduct.
The CNIL found Google violated users’ privacy in several ways. It said Google made it too difficult for users to find essential information, “such as the data-processing purposes, the data storage periods or the categories of personal data used for the ads personalisation,” by splitting them across multiple documents, help pages, and settings screens. In some cases, users needed to click onto different links or documents at least five or six times.
Because of the lack of clarity, users were effectively unable to exercise their right to opt out of data processing for personalisation of ads.
The CNIL said information to users was “not always clear nor comprehensive” and the purposes of processing were described in a “too generic and vague manner,” as were the categories of data the company was processing. Furthermore, Google did not always provide information about how long users’ data would be retained for.
The regulator found that even when user consent was collected, it did not meet the standards under GDPR that such consent be “specific” and “unambiguous,” since users were not asked specifically to opt in to ad targeting. Instead, they were coerced into accepting Google’s data policies to use their services: either accept the company’s blanket terms and privacy policies—or don’t use any of its services.
In a statement, Google said: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”
The CNIL said the fine was so large due to “the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information, and consent” and because the violations were “continuous breaches” that are still occurring. “It is not a one-off, time-limited, infringement,” said the CNIL, which added that “thousands of French people create, every day, a Google account when using their [Android] smartphone” and are therefore prone to signing consent agreements without fully knowing how their data will be used or retained.
In fact, the CNIL said Google’s violations were aggravated by the fact that “the economic model of the company is partly based on ads personalisation” and that it was therefore “its utmost responsibility to comply” with GDPR.
Two privacy rights groups—None of Your Business (noyb), led by Austrian privacy campaigner and lawyer Max Schrems, and La Quadrature du Net (LQDN)—filed their complaints against Google last May, claiming that the company did not have a valid legal basis to process user data for ad personalisation as mandated by the GDPR. Schrems filed his complaint on 25 May, which was the day that the legislation took effect. LQDN, which collected 10,000 signatures, filed its complaint three days later.
The two groups have also filed additional privacy complaints against Facebook and its subsidiaries, photo-sharing app Instagram, and messenger service WhatsApp in other EU countries.
The case is important because it has established that national regulators can take action against companies even if they are not headquartered in that jurisdiction. While Google’s European headquarters is located in Ireland, for example, EU data authorities decided that the case would be handled by the French data regulator since the Irish watchdog did not have “decision-making power” over its Android operating system and its services.
The case is also significant because it may well be the first of a string of penalties that Google, Facebook, Twitter, and other social media giants face from across the European Union as other European data regulators examine similar complaints. Google, for instance, has been accused of GDPR privacy violations by consumer groups across seven European countries over what they claim are “deceptive practices” around its location tracking.