The French data regulator, National Data Protection Commission (CNIL) has imposed a financial penalty on Google for 50M euros for failing to comply with GDPR. After a thorough analysis, CNIL observed that information provided by Google is not easily accessible for users, neither is it always clear or comprehensive.
CNIL started this investigation after receiving complaints from None Of Your Business and La Quadrature du Net. They complained about Google “not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalization purposes.”
In reaction to @NOYBeu 's and our collective complaints, the French Data Protection Authority has decided today that Google's Android violates the GDPR and sanctioned it with a 50 million euros fine. Read our analysis.https://t.co/MDHFl3q7E3
— La Quadrature du Net (@laquadrature) January 21, 2019
Our first #GDPR complaint over invalid consent from May 25th last year has lead to a € 50 Mio fine for #Google by the #CNIL today! 🥳
⏩ More Information: https://t.co/YJMwkTfPtD
⏩ Support our work: https://t.co/9hmQrVlAUa pic.twitter.com/PnLh7i5hVb— noyb (@NOYBeu) January 21, 2019
Following its own investigation, after the complaints, CNIL also found Google guilty of not validly obtaining proper user consent for ad personalization purposes. Per the committee, Google makes it hard for people to understand how their data is being used by using broad and obscure wordings.
For example, CNIL says, “in the section “Ads Personalization”, it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, Youtube, Google home, Google maps, Play store, Google pictures…) and therefore of the amount of data processed and combined.”
Google is also violating GDPR rules when new Android users set up a new phone and follow Android’s onboarding process.
The committee found that when an account is created, the user can modify some options associated with the account by clicking on the ‘More options’. However, the display of the ads personalization is pre-ticked. This violates GDPR’s rule of ‘consent being ambiguous’.
Furthermore, GDPR states that the consent is “specific” only if it is given distinctly for each purpose. However Google violates it as before creating an account, the user is asked to tick the boxes « I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy» in order to create the account. Therefore, the user gives his or her consent in full, for all the processing operations purposes carried out by Google.
Netizens feel that 50M euros are far too little to pay as a fine for a massive organization like Google. However, a hacker news user counter argued the statement saying that “Google or any other company does not get to just continue their practices, as usual, the fine is pure “punishment” for the bad behavior in the past. Google would gladly pay them if it meant they could continue their anti-competitive practices, it would just be a cost of doing business. But that’s not the point of them. The real teeth are in the changes they will be forced to make.”
Twitteratis were also in support of CNIL.
#GDPR was introduced to end shady data gathering and give back control to individuals… Let's hope pre-ticked check boxes, bulk consent to processing ops and diluted user info become a thing of the past… @CNIL @ICOnews #dataprotection https://t.co/bjEYJssWSD
— Alex Torpey (@AlexT_KN) January 21, 2019
"CNIL have taken the stance that forcing people to consent to the processing of their #personaldata in order to drive an adtech business model is not lawfully compliant with GDPR and the fine makes it clear just how seriously they take this issue. "#data #privacy #law https://t.co/FoBD2wSRwv
— Francisca Sinn (@mcfslaw) January 22, 2019
Groups in US have filed complaints against @google at #ftc for years raising many same issues. No action by US #ftc. Yet French privacy regulator acted in months. The CNIL’s restricted committee imposes a financial penalty of 50m Euros against Google https://t.co/vg2E147JYt
— Jeffrey Chester (@chesterj1) January 21, 2019
To paraphrase @profgalloway.. like handing out a $1 parking ticket after not paying the meter for the day..
I'm sure this will set Google straight.https://t.co/vcltixpO5D
— Carl Boutet (@carlboutet) January 21, 2019
A Google spokesperson spoke to Techcrunch with the following statement, “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”
Read Next
Googlers launch industry-wide awareness campaign to fight against forced arbitration
EU slaps Google with $5 billion fine for the Android antitrust case
Google+ affected by another bug, 52M users compromised, shut down within 90 days