Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

France Hits Google With 50 Million Euro Data Consent Fine

France’s data watchdog on Monday announced a fine of 50 million euros ($57 million) for US search giant Google, using the EU’s strict General Data Protection Regulation (GDPR) for the first time.

France’s data watchdog on Monday announced a fine of 50 million euros ($57 million) for US search giant Google, using the EU’s strict General Data Protection Regulation (GDPR) for the first time.

Google was handed the record fine from the CNIL regulator for failing to provide transparent and easily accessible information on its data consent policies, a statement said.

The CNIL said Google made it too difficult for users to understand and manage preferences on how their personal information is used, in particular with regards to targeted advertising.

“People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR,” a Google spokesperson said in a statement.

“We’re studying the decision to determine our next steps.” 

The ruling follows complaints lodged by two advocacy groups last May, shortly after the landmark GDPR directive came into effect.

One was filed on behalf of some 10,000 signatories by France’s Quadrature du Net group, while the other was by None Of Your Business, created by the Austrian privacy activist Max Schrems.

Schrems had accused Google of securing “forced consent” via its Android mobile operating software through the use of pop-up boxes online or on its apps which imply that its services will not be available unless the conditions of use are accepted.

Advertisement. Scroll to continue reading.

“Also, the information provided is not sufficiently clear for the user to understand that the legal basis for targeted advertising is consent, and not Google’s legitimate business interests,” the CNIL said.

“We have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products,” Schrems said in a statement after the ruling.

“It is important that the authorities make it clear that simply claiming to be compliant is not enough.”

‘Special responsibility’ 

The GDPR is widely considered the biggest shake-up to data privacy regulations since the advent of the web.

Even companies which are not based in Europe must follow the tough new rules if they want their sites and services to be available to European users.

The CNIL found that despite changes implemented by Google since last year, it was still failing to respect the spirit of the new rules.

It noted for example that specifics on how long a person’s data is kept and what it is used for are spread across several different web pages.

Modifying a user’s data preferences also requires clicking through a variety of pages such as “More Options”, and often the choices to accept Google’s terms are pre-checked by default.

“This type of procedure leads the user to give global consent… but the consent is not ‘specific’ as the GDPR requires,” the regulator said.

It said the record 50-million-euro fine reflected the seriousness of the failings as well as Google’s dominant market position in France via Android.

“Each day thousands of French users create a Google account on their smartphones,” the CNIL said. 

“As a result the company has a special responsibility when it comes to respecting their obligations in this domain,” it said.

It is not the first time the regulator has taken Google to task over its policies.

In 2014 it fined the company 150,000 euros — the maximum possible at the time — for failing to comply with its privacy guidelines for personal data.

And in 2016 it imposed a 100,000-euro penalty over non-compliance with the EU’s “right to be forgotten” rule, allowing people to request having references to them removed from search results.

Goole has contested the decision, saying it should apply only to its European sites, such as Google.fr, and not the global Google.com domain.

Earlier this month the advocate general for the European Court of Justice in Luxembourg sided with Google in the case, though a final ruling has not yet been announced.

Written By

AFP 2023

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Application Security

Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Government

The proposed UK Online Safety Bill is the enactment of two long held government desires: the removal of harmful internet content, and visibility into...