French Watchdog Hits Google with Record $57 Million GDPR Fine
The record-setting GDPR fines keep rolling in. On Monday, France’s National Data Protection Commission (CNIL) said it has fined Google some 50 million euros (just shy of $57 million USD) for “lack of transparency, inadequate information, and lack of valid consent” with regard to ad personalization.
The filing comes after the organization received complaints from two associations—None Of Your Business (NOYB) and La Quadrature du Net (LQDN). In both instances, Google was said to have not had a “valid legal basis to process the personal data of the users of its services,” particularly in relation to personalized ads on their services. Those complaints were initially filed back in late May, right around the time that GDPR officially went into law in Europe. CNIL said that it began investigating the claims almost immediately.
In its statement, CNIL made fairly clear just how nitpicky these GDPR watchdogs are going to be when it comes to how they handle these cases and how they determine whether or not an organization is compliant with the consumer privacy rules. Sure, Google may have had all of the necessary statements and disclosures available to the public across their various platforms and services. However, as CNIL points out, “Essential information … are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information.” In fact, they said, it could sometimes take up to five or six actions in order to obtain the information necessary.
Moreover, CNIL said, some of the information is not always clear or comprehensive.
“The restricted committee observes in particular that the purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes,” the statement reads. “Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company. Finally, the restricted committee notices that the information about the retention period is not provided for some data.”
CNIL goes on to talk about how Google didn’t do enough to clearly get users’ consent to use their information for ad personalization and so on. And when all’s said and done they felt that the record 50 million euro fine was justifiable given the “severity of the infringements” they observed.
What’s specifically terrifying about this statement are the generalizations that CNIL uses in its own justifications. Who, for example, set the standard that five or six actions is too many in order to obtain the required information? And what group set the standards for just how clear and what language ought to be used to explain how users’ information is collected and used? What constitutes “too generic” or “too vague”?
In a statement made to BBC, Google said, ” People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”
What We’re Reading
- Apple Pay expands retail presence, including all 1,850 U.S. Target stores. (Appleinsider)
- UPS and Latch are expanding their in-building delivery service to 10 more cities. (TechCrunch)
- Uber and Starbucks are teaming up to start delivering coffee in six of the largest U.S. markets. (Business Insider)