After Google was ordered to pay €50 million (about $57 million) by the French data protection authority—the largest financial penalty under the General Data Protection Regulation (GDPR) to date—other companies were left to wonder whether they are next.
Tipped off by complaints from privacy groups, the National Data Protection Commission (CNIL) in France launched an investigation into the search engine and found two types of breaches of the GDPR: violations of the obligations of transparency and information, and of the obligation to have a legal basis for ads personalization processing.
The information provided by Google is not easily accessible to users, CNIL said, and essential information (such as the data processing purposes or the categories of personal data used for ad personalization) can be found only after taking several steps, sometimes up to five or six actions.
Adding to the problem, some of the information provided by Google “is not always clear nor comprehensive,” CNIL said. In particular, the purposes of data processing are described in terms that are “too generic and vague,” according to the regulator, leaving consumers unable to fully understand the extent of the processing operations carried out by the company.
The second violation occurred with regard to consent. Although Google argued that it obtains the consent of users to process data for ad personalization purposes, CNIL found that the consent was not validly obtained. Users are not sufficiently informed, according to the decision, as the information is “diluted” in several documents.
“For example, in the section ‘Ads Personalization,’ it is not possible to be aware of the plurality of services, websites and applications involved in these processing applications (Google search, You tube, Google home, Google maps, Playstore, Google pictures…) and therefore of the amount of data processed and combined,” CNIL wrote.
The regulator also found that the consent obtained by Google was neither “specific” nor “unambiguous” as mandated by the GDPR. When a user creates an account, he or she can modify some options, including the display of personal ads.
“That does not mean the GDPR is respected,” CNIL declared. “Indeed, the user not only has to click on the button ‘More options’ to access the configuration, but the display of the ads personalization is moreover pre-ticked. However, as provided by the GDPR, consent is ‘unambiguous’ only with a clear affirmative action from the user (by ticking a non-pre-ticked box[,] for instance).”
Further, a user is asked to select a box to agree to Google’s Terms of Service and Privacy Policy before creating an account, which Google argued satisfied the consent requirement. “However, the GDPR provides that the consent is ‘specific’ only if it is given distinctly for each purpose,” CNIL said.
The regulator settled on a financial penalty of €50 million. “The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent,” CNIL wrote.
Users were deprived of “essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations,” CNIL explained. “Moreover, the violations are continuing breaches of the [GDPR] as they are still observed to date. It is not a one-off, time-limited infringement.”
Google announced that it plans to appeal the fine.
“We’ve worked hard to create a GDPR consent process for personalized ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing,” the company said in a statement. “We’re also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond. For all these reasons, we’ve now decided to appeal.”
Why it matters: Since the GDPR took effect last May, several countries have taken enforcement actions for violations, and fines have been levied in Austria, Germany and Portugal, but the penalty CNIL imposed on Google (the first fine that regulator has imposed) sets a new record high and serves as a warning to other covered entities.