The fine comes a month after Facebook was fined €10m by Italy’s competition regulator for misleading its own users over data practices.
CNIL, the French data protection regulator, has issued a fine of €50 million($57m) against Google due to the company’s lack of transparency and its failure to obey GDPR obligations when Android users set up a new phone and follow its onboarding process.
This is by far the biggest fine issued by a European regulator and the first time that a tech giant has been caught under new terms laid out in a pan-European GDPR, that came into play in May last year. The maximum fine that a company has to pay under the new law for GDPR violations is 4% of its annual turnover, which rounds up to almost €4bn for Google.
CNIL said that Google failed to disclose to its users how their personal data is collected and what exactly they do with it. The company also did not ask for user’s consent to show them personalized ads, the watchdog agency explained.
“Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information,” the regulator further said.
Non-profit organization ‘None of Your Business’ originally filed a complaint back in May 2018 against Google and Facebook for their GDPR privacy violation activities, Max Schrems, leader of the organization lately said,
“We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”
Under Europe’s new GDPR privacy policy, tech companies have to give users a clear picture of how their data is collected, along with taking a user’s consent to have their personal information used by a website.
French regulators said that while users can modify their privacy settings on Google, it still isn’t enough as the default setting is fashioned to display personalized ads to users. Google also requires people to agree to its terms and conditions to sign up for new accounts. A loophole that CNIL pointed out is that Google makes users agree to everything or not use the service at all.
Google stated,
“People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”
Dr. Lukasz Olejnik, a privacy researcher and adviser, said that this is the world’s largest data protection fine till date. He further explained how the ruling is a milestone for privacy enforcement and that the whole European Union should welcome the fine. “It loudly announced the advent of GDPR decade,” he said.
Estelle Massé, a data protection expert at the advocacy group Access Now, said that Google isn’t the only company to not fulfill GDPR requirements, “but the fine is significant for Google and also for other actors.”
