France’s regulatory body dealing with data privacy has fined Google €50 million regarding advertisers’ access to users’ personal data.
France’s top data-privacy agency, known as the National Commission on Informatics and Liberty (CNIL) said that Google failed to fully disclose to users how their personal information is collected and what happens to it, according to The Washington Post.
Google also did not properly obtain users’ consent for the purpose of showing them personalized ads, the watchdog agency said.
“Despite the measures implemented by Google (documentation and configuration tools), the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations”, said the CNIL.
It added that “the collected consent is neither ‘specific’ nor ‘unambiguous’,” because it was difficult for users to modify preferences on where their data was used, particularly concerning targeted ads.
“The user not only has to click on the button ‘More options’ to access the configuration, but the display of the ads personalization is moreover pre-ticked,” the body wrote.
In response, Google said it is “studying the decision to determine our next steps,” adding: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.”
The French move is the first major case of a fine being issued under the EU’s stringent General Data Protection Regulation (GDPR) introduced last year. Under the GDPR, EU regulators have the power to fine companies as much as €20 million or 4 per cent of their annual turnover – whichever is largest.
“We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law,” said Max Schrems, a high-profile Austrian activist who has campaigned on data privacy issues for a number of years and is chairman of NOYB.
Two advocacy groups, None Of Your Business (NOYB) and La Quadrature du Net (LQDN), filed group complaints with the CNIL in May 2018. LQDN filed on behalf of 10,000 individuals.