French regulator fines Google $57 million for GDPR violations

Image: BEN STANSALL/AFP/Getty Images

Brace yourselves: The GDPR fines are coming. 

France’s National Data Protection Commission (CNIL) has fined Google 50 million euros ($56.8 million) for breaching the European Union’s General Data Protection Regulation (GDPR) rules, the regulator announced on Monday. 

After receiving complaints from two associations — None Of Your Business (NOYB) and La Quadrature du Net (LQDN), the CNIL found that Google has violated GDPR rules in two ways. 

First, the organization found that Google provided information to users in a non-transparent way. 

“Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information. The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions,” CNIL said. 

Second, CNIL concluded that Google was not validly obtaining users’ permission for data processing and ads personalization purposes. 

The users’ consent, CNIL claims, “is not sufficiently informed,” and it’s “neither ‘specific’ nor ‘unambiguous’.”

“The amount decided, and the publicity of the fine, are justified by the severity of the infringements” 

CNIL’s findings echo what many users have felt when dealing with privacy settings of large online companies that provide numerous services, such as Google and Facebook: While it may be possible to opt out of various ads personalization and data processing schemes, the process is often too convoluted and the settings too complex for many users to fully comprehend. 

“The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent,” CNIL said. 

“Moreover, the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.”

The 50 million euro fine is the first fine CNIL has imposed related to GDPR rules. It is not, however, the first time CNIL has fined Google for privacy violation. In 2011, the regulator fined Google $141,000 for gathering data from private Wi-Fi networks while collecting Google Street View Imagery. And in 2014, CNIL fined Google $200,000 for not being transparent enough about a privacy policy change. 

“People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps,” a Google spokesperson told Mashable in an e-mailed statement.