France's National Data Protection Commission (CNIL) has fined Google €50 million over breaches of the General Data Protection Regulation, following complaints surrounding the company's handling of users' personal data.
The French National Data Protection Commission (CNIL) first began investigating Google, whose parent company Alphabet makes the overwhelming majority of its revenue from advertising, after receiving complaints from pro-privacy groups None Of Your Business and La Quadrature du Net. In the complaints, it was argued that Google does not have a 'valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purposes'.
Following discussion with other European data protection organisations, CNIL was declared competent to investigate the matter and began inspecting Google's services in September. These inspections, the organisation has revealed, found violations of the company's obligations to transparency and accessibility of information - in particular hiding information about how users' personal data is processed in terms and conditions documents some five or six clicks away from where agreement can be made, and failing to make it clear to users exactly what their data is being processed for.
'The company Google states that it obtains the user's consent to process data for ads personalisation purposes. However, the restricted committee considers that the consent is not validly obtained for two reasons,' CNIL's statement on the matter explains. 'First, the restricted committee observes that the users' consent is not sufficiently informed. The information on processing operations for the ads personalisation is diluted in several documents and does not enable the user to be aware of their extent. For example, in the section "Ads Personalisation," it is not possible to be aware of the plurality of services, websites, and applications involved in these processing operations (Google search, YouTube, Google Home, Google Maps, Play Store, Google Pictures…) and therefore of the amount of data processed and combined. Then, the restricted committee observes that the collected consent is neither "specific" nor "unambiguous."'
The ruling brings with it a financial blow to the company, in the form of a €50 million fine - the first such fine levied by a French authority under the GDPR's expanded sanction limits. CNIL has also indicated that the breaches are ongoing, meaning that further fines could follow if Google doesn't change its ways.
Neither Google nor Alphabet have publicly commented on the fine, but they are expected to appeal the ruling. The full deliberations are available direct from CNIL (French PDF warning).
Google has issued a statement confirming it plans to appeal the fine. 'We've worked hard to create a GDPR consent process for personalised ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing,' a spokesperson told Business Insider. 'We're also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond. For all these reasons, we've now decided to appeal.'
March 25 2020 | 14:00