France’s data protection agency, the National Data Protection Commission (CNIL), on Monday announced a fine of €50 Mn ($57 Mn) on Google citing the European Union’s new General Data Protection Regulation (GDPR) for the first time.
The CNIL regulator said that the fine has been levied due to lack of transparency, inadequate information, and lack of valid consent regarding ad personalisation by the US search giant. According to the CNIL, Google has made it too confusing for its users to understand and manage preferences on how their personal information is used.
Reacting to the penalty, Google reportedly said it was “studying the decision.”
“People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR,” a Google spokesperson said in a statement, according to media reports.
The ruling follows complaints lodged by two advocacy groups in May 2018 called None Of Your Business (NOYB) and La Quadrature du Net (LQDN).
NOYB, which was created by Austrian privacy activist Max Schrems, accused Google of securing “forced consent” through the use of pop-up boxes online or on its apps which imply that its services will not be available unless users accept its conditions of use.
This stand was vindicated by the French authorities who noted that the information provided by Google was not easily accessible to users.
Google’s Violations As Per The CNIL
After studying the onboarding process for a new Android smartphone user, the CNIL said that the information provided by Google is “not clear nor comprehensive.”
Here are some of the observations that the CNIL made:
- Essential information, such as the data processing purposes, the data storage periods, or the categories of personal data used for ads personalisation are excessively disseminated across several documents
- The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions
- Users are not able to fully understand the extent of the processing operations carried out by Google. But the processing operations are particularly massive and intrusive due to the services offered
Another major pain point for the data watchdog was Google’s claim that it obtains user consent on recording data for ad personalisation purposes.
However, the restricted committee said that the consent is not validly obtained as the personal data clauses are spread over several documents and do not enable the user to get a clear picture of what they are agreeing to.
Due to this, the user consent garnered by Google is neither “specific” nor “unambiguous,” said the CNIL. According to GDPR rules, consent is “unambiguous” only with a clear affirmative action from the user.
However, the GDPR provides that the consent is “specific” only if it is given distinctly for each purpose.
Google And EU: An Uneasy Relationship
Since 2010, Google has faced three major anti-trust cases from the EU over violations of its competition laws due to its dominant position in the market. These cases have resulted in formal charges against Google related to Google Shopping, Google AdSense, and the Android operating system. Till date, Google has been found guilty of antitrust behaviour in cases related to Google Shopping and Android and has been fined over 6 Bn Euros.
Prior to the latest infringement, Google was fined 2.4 Bn Euros, the largest such antitrust fine issued by the European Commission due to preferential treatment of its homegrown Google Shopping product.