The French data regulator CNIL has fined Google 50 million euros, about £44m, for a breach of the EU’s data protection rules.
The regulator said it had imposed the fine for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”.
CNIL said it judged that people were “not sufficiently informed” about how Google collected data to personalise advertising.
Google responded In a statement, saying it was “studying the decision” to determine its next steps.
The first complaint was filed the same date GDPR came into effect.
It was in May 2018 when two privacy rights groups filed complaints against Goggle under the General Data Protection Act, GDPR. GDPR came into effect on 25th May 2018 and the first complaint was filed on the same day.
The groups noyb and La Quadrature du Net (LQDN) claimed Google did not have a valid legal basis to process user data for ad personalisation, as mandated by the GDPR.
Although Google’s European headquarters is in Ireland, it was decided among the authorities that the case would be handled by the French data regulator, since the Irish watchdog did not have “decision-making power” over its Android operating system and its services.
More transparency needed.
The regulator said Google had not obtained clear consent to process data because “essential information” was “disseminated across several documents”.
“The relevant information is accessible after several steps only, implying sometimes up to five or six actions,” the regulator said.
“Users are not able to fully understand the extent of the processing operations carried out by Google.”
In addition to this, say the regulator, Google had failed to obtain a valid legal basis to process user data.
“The information on processing operations for the ads personalisation is diluted in several documents and does not enable the user to be aware of their extent,”
It also pointed out that the option to personalise ads was “pre-ticked” when creating an account, which did not respect the GDPR rules.
“The user gives his or her consent in full, for all the processing operations purposes carried out by Google based on this consent (ads personalisation, speech recognition, etc).
“However, the GDPR provides that the consent is ‘specific’ only if it is given distinctly for each purpose.”
The regulator said it was Google’s “utmost responsibility to comply with the obligations on the matter”.
In a statement, Google said: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.”