Google has been struck with a €50m fine for breaching its obligations laid down by the European Union’s General Data Protection Regulation (GDPR) by CNIL, the French data protection regulator.
The CNIL stated that the financial penalty was due to Google being unable to give their users supply users with information on its data consent policies. It was claimed that Google did not allow give users the power to see how their private information is being utilized. GDPR legislation, which became enforceable on May 25 last year, stated that all companies must have the the user’s ‘genuine consent’ before gathering their private data.
A CNIL representative said: “(Also) the information provided is not sufficiently clear for the user to understand the legal basis for targeted advertising is consent, and not Google’s legitimate business interests. The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the General Data Protection Regulation (GDPR): transparency, information and consent. Moreover, the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.”
The Austrian group None of Your Business, which was founded by Austrian Privacy advocate Max Schrem, submitted that original complaint to CNIL. The original complaint was filed with CNIL. France’s Quadrature du Net group filed the other complaint on behalf of 10,000 signatories.
Schrems responded to the news remarking: “We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law,” said Schrems in a statement. Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”
This is the largest fine to be issued for breaching GDPR legislation since its introduction last year. This legislation says that a company which is found to be in breach of it may be fined €20m or 4% of annual global revenue for the previous year. Google may be considered as fortunate given that the annual global revenue of the company for the last quarter of 2018 was just under €30bn.
A Google representative said, commenting on the news of the penalty in France: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”
Google is currently facing accusations of breaching GDPR in seven European Union Member States.