France Hits Google With $57M Fine In First Major GDPR Violation
French regulators Monday fined Google $57 million for breaching Europe's aggressive new data-privacy regulations, marking the first major penalty since GDPR took effect last year.
The country's data protection watchdog, known as the CNIL, said that Google lacked transparency and clarity around how personal information is collected and what happens to it. Google was also accused by French regulators of failing to properly obtain user consent for personalized ads.
"The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent," the CNIL said in a statement.
[Related: 10 Security Experts On The Biggest Danger Businesses Face From GDPR]
Google, meanwhile, said it is studying the CNIL's decision to determine the company's next steps.
"People expect high standards of transparency and control from us," Google said in a statement. "We're deeply committed to meeting those expectations and the consent requirements of the GDPR."
The CNIL began investigating Google on May 25 – the day GDPR went into effect – in response to complaints by two non-governmental organizations, None Of Your Business (NOYB) and La Quadrature du Net (LQDN). LQDN had been mandated by 10,000 people to present the case to the CNIL.
Under the European Union's General Data Protection Regulation (GDPR) rules, tech companies must give users a clear picture of the data they collect, along with simple tools users can rely on to consent to having their data collected. Google has failed on both of those counts, according to the CNIL.
"Essential information … [is] excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information," the CNIL said in its statement. "The relevant information is accessible after several steps only, implying sometimes up to five or six actions."
The lack of visibility is even more problematic for users, according to the CNIL, since Google operates a broad array of services from its app store, to its map service, to YouTube. Even though Google users can adjust their privacy settings when they start an account, the CNIL said that isn't enough since the default setting is for Google to display personalized ads to customers.
At the same time, Google mandates that prospective customers agree to its terms and conditions in full before creating an account. GDPR, however, indicates that specific consent must be given distinctly for each separate purpose.
The CNIL is known for its stringent interpretation of privacy rules and a willingness to punish U.S.-based tech companies for their errors. Across Europe, punishments have in recent years been doled out to Apple for its tax practices, Facebook for multiple privacy issues, and Google for charges that it sought to undermine its corporate rivals.
The United States lacks a broad, holistic consumer privacy law similar to GDPR, making Europe the world's most stringent protector of consumer privacy. Consumer advocates in the United States have urged America to follow the example set by the Europeans.