The National Data Protection Commission said Monday that it fined the firm for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”.
No valid consent
The commission said that Google users were “not sufficiently informed” about what they were agreeing to when providing Google with permission to use their data for targeted advertising.
It’s the first time CNIL has imposed the European Union’s General Data Protection Regulation, otherwise known as GDPR – a law which came into force on May of last year.
“The restricted committee observes that the users’ consent is not sufficiently informed,” the CNIL wrote in a statement.
CNIL went onto the state that “the collected consent is neither ‘specific’ nor ‘unambiguous”. Instead of allowing users to modify their preferences or giving them the option to opt out of data personalisation for ads, users were asked to simply agree to Googles terms and privacy rules.
“The user not only has to click on the button ‘More options’ to access the configuration, but the display of the ads personalisation is moreover pre-ticked,” the body wrote.
Data protection complaints
The fine came about following complaints launched by two advocacy groups, None of Your Business (NOYB) and La Quadrature du Net (LQDN).
The first complaint under the new regulation was filed on 25th May 2018, the day the new regulation came into effect.
NOYB filed a complaint on behalf of 10,000 signatories by France’s Quadrature du Net group, while NOYB, a non-profit organisation created by the Austrian privacy activist, Max Schrem, accused Google of securing details using a strategy of “forced consent” to continue processing users’ personal data.
The organisations “reproach Google for not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purposes.”
CNIL immediately launched an investigation after complaints were submitted.
“The amount decided and the publicity of the fine is justified by the severity of the infringements observed regarding the essential principles of the General Data Protection Regulation (GDPR): transparency, information, and consent,” the regulatory organisation said.
“Moreover, the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.
Google released a statement saying that people “expect high standards of transparency and control from us”.
“We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”
Stricter approach to enforcing data protection laws
Cybersecurity firm Veracode’s director of solutions architecture (EMEA), Paul Farrington, said that regulators have adopted a stricter approach to enforcing data protection laws.
“The fine against Google is an indication of the serious focus on privacy and security by regulators. Global enterprises must take steps to ensure security hygiene and compliance with standards to reduce their risk and protect data.”