The National Data Protection Commission (CNIL), the data protection watchdog of France, just fined Google $57 million USD (€50 million) for violating Europe’s new GDPR law. Google is the first Silicon Valley tech company to receive a fine since the policy took effect in May of last year.
“The CNIL’s restricted committee imposed a financial penalty of 50 Million euros against the company GOOGLE LLC, in accordance with the General Data Protection Regulation (GDPR), for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization,” CNIL said in its official statement.
CNIL received formal complaints from two associations, the None of Your Business (NOYB) and La Quadrature du Net (LQDN) foundations. Bot complaints focused on Google’s illegal processing of the personal data of its services. In their complaints, the two groups specifically mentioned the data used by Google for ad personalization purposes.
Google Violates New GDPR Law on Data Transparency
Based on CNIL’s thorough investigation, the committee found that Google’s information processing structure was not compliant with the new General Data Protection Regulation.
“Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information,” the committee explained.
Simply put, the information collected by Google is not readily accessible for users. A person usually has to go through several steps to access the data that Google used.
Google Fails to Fulfill Legal Basis for Ads Personalization Processing
CNIL also observed that some of the information is not clear or comprehensive, with some users failing to fully understand the extent of Google’s processing operations. Aside from violating GDPR’s policy on data transparency, Google also failed to fulfill its obligation to have a legal basis for its ad personalization processing.
The restricted committee claimed that while Google requires a user’s consent to process specific data for its ad personalization purposes, the company’s user was not “sufficiently informed”. CNIL further stressed that the collected approval is either not specific or unambiguous.
The Fine
Each complaint cost Google 25 million Euros. The maximum fine for large enterprises under the new GDPR law is four percent of the company’s annual turnover. Theoretically, Google’s maximum fine could reach four billion Euros.
“Despite the measures implemented by GOOGLE (documentation and configuration tools), the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations,” the restricted committee added.
Comments (0)
Most Recent