France’s data watchdog on Monday announced a fine of 50 million euros ($57 million) for US search giant Google, using the EU’s strict General Data Protection Regulation (GDPR) for the first time.
Google was handed the record fine from the CNIL regulator for failing to provide transparent and easily accessible information on its data consent policies, a statement said.
The CNIL said Google made it too difficult for users to understand and manage preferences on how their personal information is used, in particular with regards to targeted advertising.
“People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR,” a Google spokesperson said in a statement.
“We’re studying the decision to determine our next steps.”
The ruling follows complaints lodged by two advocacy groups last May, shortly after the landmark GDPR directive came into effect.
One was filed on behalf of some 10,000 signatories by France’s Quadrature du Net group, while the other was by None Of Your Business, created by the Austrian privacy activist Max Schrems.
Schrems had accused Google of securing “forced consent” via its Android mobile operating software through the use of pop-up boxes online or on its apps which imply that its services will not be available unless the conditions of use are accepted.
“Also, the information provided is not sufficiently clear for the user to understand that the legal basis for targeted advertising is consent, and not Google’s legitimate business interests,” the CNIL said.
“We have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products,” Schrems said in a statement after the ruling.
“It is important that the authorities make it clear that simply claiming to be compliant is not enough.”
The GDPR is widely considered the biggest shake-up to data privacy regulations since the advent of the web.
Even companies which are not based in Europe must follow the tough new rules if they want their sites and services to be available to European users.
The CNIL found that despite changes implemented by Google since last year, it was still failing to respect the spirit of the new rules.
It noted for example that specifics on how long a person’s data is kept and what it is used for are spread across several different web pages.
Modifying a user’s data preferences also requires clicking through a variety of pages such as “More Options”, and often the choices to accept Google’s terms are pre-checked by default.
“This type of procedure leads the user to give global consent… but the consent is not ‘specific’ as the GDPR requires,” the regulator said.
It said the record 50-million-euro fine reflected the seriousness of the failings as well as Google’s dominant market position in France via Android.
“Each day thousands of French users create a Google account on their smartphones,” the CNIL said.
“As a result the company has a special responsibility when it comes to respecting their obligations in this domain,” it said.
It is not the first time the regulator has taken Google to task over its policies.
In 2014 it fined the company 150,000 euros — the maximum possible at the time — for failing to comply with its privacy guidelines for personal data.
And in 2016 it imposed a 100,000-euro penalty over non-compliance with the EU’s “right to be forgotten” rule, allowing people to request having references to them removed from search results.
Goole has contested the decision, saying it should apply only to its European sites, such as Google.fr, and not the global Google.com domain.
Earlier this month the advocate general for the European Court of Justice in Luxembourg sided with Google in the case, though a final ruling has not yet been announced.