The French National Data Protection Commission, France’s privacy watchdog, fined Google $57 million for “lack of transparency, inadequate information, and lack of valid consent” regarding ad personalization for users. It is the first such fine for a big U.S. tech company under the European Union’s GDPR (General Data Protection Regulation) and one of the biggest enforcement actions since the new regime went into effect last spring.
The CNIL (Commission Nationale de l’Informatique et des Libertés/National Data Protection Commission) said Google users were “not sufficiently informed” about the data collected for targeted advertisements. It said Google required “sometimes up to 5 or 6 actions” for users to find out how and why their data is being used. The CNIL said the violations “deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life.”
The new regulatory regime allows companies to be fined up to 4% of their global turnover, possibly billions of dollars in Google’s case, for more serious offenses.
Companies like Google, which is headquartered in the United States, must still comply with the GDPR because they have millions of users in Europe.
In a statement, Google said it was “deeply committed” to transparency and user control as well as GDPR consent requirements.
“We’re studying the decision to determine our next steps,” the company said.
The CNIL said two data protection advocacy groups, NOYB.EU (None of Your Business) and La Quadrature du Net, filed complaints with the regulator immediately after the GDPR took effect, prompting the investigation.
NOYB, headed by Austrian privacy activist Max Schrems, brought similar complaints against Facebook.
“We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law,” Schrems said in a statement.
“Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products…It is important that the authorities make it clear that simply claiming to be compliant is not enough,” said Schrems.