It’s official: Google has been slapped with a €50m GDPR and the news comes from CNIL, the French data protection authority. As this is the first big fine issued in Europe, this is a somewhat historical moment.
Allegedly, Google was violating the GDPR-based rules regarding transparency and processing people’s data for advertising purposes. Previously, a Portuguese hospital was fined €400,000, but Google’s €50m fine is the new world record.
A so-called “forced consent” was the basis of the complaints Google was getting. Essentially, they forced their users down a tunnel and got them to agree to a data processing scheme, although the explanation was not clear. Clearly, such practices are questionable at best.
Google responded to the accusations and said they’re determined to meet the high standards of transparency and control people expect from them and are studying the decision to determine their next steps.
Since the French CNIL has no authority to fine European Google headquarters, they are based in Ireland, the fine was targeted at Google LLC in the US.
In a statement, CNIL pointed out that when a user creates a new Google account on Android, the information needed to make an informed decision regarding data processing is disseminated across multiple documents, and thus, hard to find. Moreover, CNIL criticised them for being too generic and vague when explaining what happens to users’ data. Pre-setting the tick-boxes through which the users agree to ad-personalisation is also problematic.
If Google doesn’t make the changes needed, the French watchdog warns that further fines are on the horizon.