Europe’s tough new data protection laws have claimed their first scalp after Google was slapped with a 50 million euro (£44m) fine for breaking EU privacy laws.
The fine, issued by the France’s data protection office (CNIL), found the US search engine guilty “for lack of transparency, inadequate information and lack of valid consent regarding the ads personalisation.”
The hefty fine, the largest GDPR penalty so far to be imposed against an American tech giant, comes after complaints were filed by two advocacy groups May last year.
Those complaints was filed by France’s Quadrature du Net group, while the other was by ‘None Of Your Business’, created by the Austrian privacy activist Max Schrems who famously took on Facebook with the Irish data protection watchdog.
Their complaints centred around Google not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purpose.
Those complaints triggered a CNIL investigation, despite the fact that Google’s European headquarters are in Ireland, which would have normally meant the investigation was carried out by the Irish data protection watchdog.
But in this case, “the discussions with the other authorities, in particular with the Irish DPA”, but it was felt that when the CNIL initiated proceedings, “the Irish establishment did not have a decision-making power on the processing operations carried out in the context of the operating system Android and the services provided by Google, in relation to the creation of an account during the configuration of a mobile phone.”
The CNIL therefore carried out the investigation and “observed two types of breaches of the GDPR.”
Firstly, it decided that the information about data processing, geo-tracking, storage etc, provided by Google was not easily accessible for users, and needed 5 or 6 actions to access it. The CNIL also felt that some information was not always clear nor comprehensive.
“Users are not able to fully understand the extent of the processing operations carried out by Google,” said the CNIL. “But the processing operations are particularly massive and intrusive because of the number of services offered (about twenty), the amount and the nature of the data processed and combined.”
“Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company,” it added.
“The CNIL restricted committee publicly imposes a financial penalty of 50 Million euros against Google,” it said. “This is the first time that the CNIL applies the new sanction limits provided by the GDPR. The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.”
Google reportedly said it was “studying the decision” to determine its next steps.
But at least one expert said that the fine should act as a wake up call for tech firms.
“The fact that the French regulator, CNIL, is applying a record fine to a high-profile company such as Google shows that GDPR is no longer an afterthought,” said David Emm, principal security researcher at Kaspersky Lab UK.
“While the potential heavy fines under GDPR have been spoken about for some time now, this fine sets a precedent of how the mishandling of data really does have serious consequences,” said Emm. “This is a landmark ruling, and one that will become the benchmark for future fines too. The standard has now been set, and companies the world over need to take notice.”
GDPR enables European regulators to impose fines of up to 4 percent of a company’s global annual turnover for serious violations.
Quiz: Are you a Google expert?