France’s highest administrative authority on Friday dismissed a challenge by Google against a fine of 50 million euros ($56 million) for failing to provide adequate information on its data consent policies.
The fine was imposed in 2019 by France’s data watchdog, the CNIL.
It found at the time that Google made it too difficult for users to understand and manage preferences on how their personal information is used, in particular with regards to targeted advertising.
Its ruling applied principles enshrined in the EU’s strict new General Data Protection Regulation (GDPR). Google then appealed.
But on Friday, the Council of State, a French government body that is also the court of last resort for matters of administrative justice, confirmed the CNIL ruling.
It agreed the information that Google provided to users “does not meet the requirements of clarity and accessibility required by the GDPR” even when the nature and volume of data collected was “particularly intrusive.”
The council said the CNIL’s record fine was not disproportionate “given the particular seriousness of the breaches committed, their continuous nature and duration, the ceilings provided for by the GDPR (up to four percent of turnover) and Google’s financial situation.”
In a statement sent to AFP, the American giant said it would “now examine the changes we need to make”.
The matter was brought to the CNIL by two advocacy groups shortly after the landmark GDPR directive came into effect.
One was filed on behalf of some 10,000 signatories by France’s Quadrature du Net group, and the other by None Of Your Business, created by the Austrian privacy activist Max Schrems.
Schrems had accused Google of securing “forced consent” via its Android mobile operating software through the use of pop-up boxes online or on its apps which imply that its services will not be available unless the conditions of use are accepted.
The CNIL noted in its ruling that details on how long a person’s data can be kept and what it is used for were spread over several different web pages.
Modifying a user’s data preferences required clicking through a variety of pages such as “More Options”, and often the choices to accept Google’s terms were pre-checked by default.
It was not the first time the regulator had taken Google to task.
In 2014 it fined the company 150,000 euros — the maximum possible at the time — for failing to comply with privacy guidelines.
And in 2016 it imposed a 100,000-euro penalty over non-compliance with the EU’s “right to be forgotten” rule which allows people to request having references to them removed from search results.