Google was fined $57 million by France’s National Data Protection Commission (CNIL) under General Data Protection Regulation (GDPR). This is the largest fine issued under the GDPR by a member of the European Union since the law came to effect in May 2018.
CNIL issued the fine on after an investigation into the company found the Google was in violation of GDPR. Investigations into began when CNIL received complaints from None Of Your Business (NOYB) and La Quadrature du Net (LQDN). Both complainants said Google did not follow legal processes when handling personal data of users especially data related to ads.
Investigations into the company began immediately afterwards. CNIL found that Google failed to follow GDPR on two accounts: transparency and consent.
In a press release stating:
“against the company GOOGLE LLC, in accordance with the General Data Protection Regulation (GDPR), for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.”
CNIL found that Google did not provide information to users about their data consent policies on two points. First, the company did not give clear, or easily accessible information to users’ on how their data was processed, stored, or used for ad purposes. Instead, Google spreads out the information over five to six steps that the user must click through. In addition, many of the described processes are very generic and vague to completely understand the processes or the legalities.
Second, Google did not gain proper consent from users when processing data for ad personalization purposes. The process to turn off personalized ads is unclear.
“before creating an account, the user is asked to tick the boxes « I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy» in order to create the account. Therefore, the user gives his or her consent in full, for all the processing operations purposes carried out by GOOGLE based on this consent (ads personalization, speech recognition, etc.).”
Google is the first, major organization to be hit with a large penalty. It is important to be aware of GDPR regulations, even if not based in Europe. Any organization based in the U.S can be fined if they do not follow regulations when working with European partners.
Contact LIFARS today for compliance advisory solutions
