In a landmark ruling, France’s data protection commissioner has fined Google €50m (around $57m) for violating Europe’s General Data Protection Regulation (GDPR). The fines penalize the search and advertising giant for not giving information to users or obtaining valid consent when gathering data to personalize advertisements.
The fines are the result of an investigation into Google lasting almost eight months. It began when advocacy group None of Your Business (NOYB) filed a complaint against Google with data protection regulators in Austria, Belgium, Germany and France last May, shortly after GDPR came into force. The French regulator also received a similar complaint from French digital rights advocacy group La Quadrature du Net (LQDN).
France’s regulator, the Commission Nationale de l’Informatique et des Libertés (CNIL), announced on Monday that it agreed with the complaints, finding that Google “excessively” spread privacy information across several places during the Google account creation process.
This information includes what the data would be used for, how long it would be stored, and the types of personal data used to personalize ads. This made it hard for users to discover this information, the CNIL ruling says:
The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions. For instance, this is the case when a user wants to have a complete information on his or her data collected for the personalization purposes or for the geo-tracking service.
Even when users do find that information, it is often vague, the CNIL adds. There are so many services collecting so much data that it is difficult for users to understand everything that their data will be used for.
The extent of Google’s data processing across all these services also invalidates Google’s claims that it obtains consent from users to personalize ads, the organization said:
For example, in the section “Ads Personalization”, it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations… and therefore of the amount of data processed and combined.
The company also stumbles on consent gathering by failing to make it “specific and unambiguous”, says the CNIL, failing two key tests under the GDPR. First, it pre-ticks consent boxes during account creation that allow for ads personalization, which counts as an opt-out approach to consent rather than an opt-in one.
Moreover, Google doesn’t gather consent separately to address each use of the user’s data:
The user gives his or her consent in full, for all the processing operations purposes carried out by GOOGLE based on this consent (ads personalization, speech recognition, etc.). However, the GDPR provides that the consent is “specific” only if it is given distinctly for each purpose.
Why did France take the lead?
Normally the lead investigator is the data protection authority in the country where a company has its European headquarters. In this case, the CNIL says that it took the lead because the Data Protection Authority in Ireland, where Google has its European headquarters, didn’t consider itself to have jurisdiction over Google’s account creation processes.
The fines were so high because Google has become such an important and widely used service in France, says the CNIL, with thousands of French people creating Google accounts on Android phones every day. The implications of Google’s data gathering on French citizens are also broad, it warns:
The infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations.
Google isn’t the only company facing GDPR fines over its stewardship of user data. In October, the Irish Data Protection Commission announced an investigation into Facebook following the social giant’s announcement of a data breach affecting 50 million user accounts. NOYB also filed complaints against Facebook and its Instagram and WhatsApp companies along with the Google complaint.
Based on its Q3 2018 revenues, Google earns enough to pay the CNIL fine in under four hours.
NOYB is headed by Max Schrems, the Austrian lawyer whose complaints against Facebook eventually forced the EU to invalidate its Safe Harbor rules and changed the law regarding sharing of European citizens’ data with companies overseas.