France Fines Google $57M for Data Privacy Violation

Jan 23, 2019, 01:19
France Fines Google $57M for Data Privacy Violation

In a statement, the agency slammed the Chocolate Factory for a lack of transparency, and said that users weren't able to understand the extent of Google's "massive and intrusive" data processing.

La Quadrature du Net, one of the groups that filed the complaint against Google, lamented it is "very low in comparison to Google's annual turnover".

The penalty is the largest to date under the European Union privacy law, known as the General Data Protection Regulation (GDPR), which took effect in May, and shows that regulators are following through on a pledge to use the rules to push back against internet companies whose businesses depend on collecting data.

While the company's European headquarters is located in Ireland, authorities decided that the case would be handled by CNIL since the Irish watchdog lacked "decision-making power" over its Android operating system and services.

More news: PG&E: What Bankruptcy Means for the Utility

The CNIL added that Google split essential information across several documents, which was sometimes only accessible following 5 or 6 actions.

Second, Google did not have a legal basis to process data for ad personalization because user consent was not validly obtained.

Google said in a statement: "People expect high standards of transparency and control from us". Also, under the old rules that came before GDPR replaced them, Google would have only been fined $170,000 (150,000 euros) for the same violations instead of $56.8 million.

The ruling brings with it a financial blow to the company, in the form of a €50 million fine - the first such fine levied by a French authority under the GDPR's expanded sanction limits.

More news: Australian Open: Rafael Nadal RINSES journalist for falling asleep

The commission also found that Google hadn't presented the information in a clear and comprehensive manner, saying the company's descriptions are "too generic and vague". However, as provided by the GDPR, consent is "unambiguous" only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance).

The GDPR, which went into effect in May, introduced tougher rules on processing and storing personal data and requires companies to seek explicit consent before using personal data.

The CNIL's statement goes on to note that "the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and nearly unlimited possible combinations". However, the GDPR provides that the consent is "specific" only if it is given distinctly for each objective.

It added that "the collected consent is neither "specific" nor "unambiguous", because it was hard for users to modify preferences on where their data was used, particularly concerning targeted ads.

More news: Powell: Fed 'Waiting and Watching' With Patience on Rates