Google has been fined €50 million for a breach of the EU’s General Data Protection Regulation by French Regulator the National Data Protection Commission (CNIL). The CNIL said the financial penalty was imposed due to a “lack of transparency, inadequate information and lack of valid consent regarding personalisation of ads”.
The fine comes in response to two complaints filed against Google, from privacy groups None of Your Business (NOYB) and La Quadrature du Net (LQDN), over alleged mishandling of user data. After the resulting investigation, the CNIL says it found two specific breaches of GDPR.
The first breach concerns insufficient transparency around how user data is stored and used by Google. The CNIL says that information on what data is processed for, how long it is stored for, and which categories of personal data are used for ad personalisation, are “excessively disseminated across several documents, with buttons and links which you’re required to click on to access complementary information”. The data protection body found that in some cases, users have to perform five or six actions in order to get the information they’re after, which it finds to be excessive.
The CNIL also says that some of the information Google is mandated to provide is not always clear and comprehensive. “The restricted committee observes in particular that the purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes,” the CNIL said in a statement.
The second breach, perhaps most significantly, concern’s Google’s methods for obtaining user consent to process personal data in order to personalise ads – CNIL says Google’s methods aren’t valid for two reasons.
Firstly, the regulator believes users aren’t sufficiently informed about how their data is used, again because this information is split across multiple documents. The CNIL says that Google doesn’t make it clear how many services are involved in personalising ads, and therefore how much of their data might be involved.
Secondly, the CNIL says that the consent collected by Google is neither “specific” or “unambiguous”, both of which are required under GDPR. When users create an account with Google, they have the option to configure ad personalisation, but the option which allows Google to use data to personalise ads is pre-ticked. This, the CNIL rules, does not constitute a clear affirmative action by the user, and therefore consent is not unambiguous. And when a user first creates am account, they are asked to “agree to the processing of my information as described above and further explained in the Privacy Policy”. Here, Google has failed to ask for consent for each distinct purpose, and therefore consent is not specific, says the French regulator.
The €50 million fine is unlikely to break the bank for Google, and was considerably lower than it could have been – the maximum fine under GDPR is two percent of annual global turnover, which for Google would have been over $2 billion.
But the implications of the ruling are very significant. Firstly, they find Google to be in continuous breach of GDPR – if the tech giant fails to change its practices, it may face further, escalating fines.
Secondly, the ruling calls out several practices which are certainly not unique to Google – it’s certainly not the only company to set ‘give permission’ as the default option when obtaining consent.
And lastly, the ruling shows that this is only the beginning when it comes to GDPR. These complaints were filed on May 25th and 28th last year, immediately after the new regulation came into force. Some have been quick to see a lack of penalties being handed out as a sign that the GDPR panic was over-hyped. But this ruling for the CNIL could be the starting pistol for further crackdowns, especially due to the way it calls out specific practices around how consent is gained.
