CNIL, the French data protection authority, has imposed a record fine of €50m on Google for violating Europe’s General Data Protection Regulation (GDPR).
It said that the search company was not not properly disclosing to users how data is collected across its services, including its search engine, Google Maps and YouTube, in order to present personalised advertisements
The ruling is based on two complaints regarding the issue of ‘forced consent’ – the practice of companies cajoling users into authorising access to their data with a “take it or leave it” approach – by campaign group NOYB and the French NGO La Quadrature du Net.
CNIL said that on investigating it found Google were in breach for lack of transparency, inadequate information provision, and lack of valid consent regarding personalisation of advertisements.
“The infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations,” it said.
The penalty is the largest to date under the new European privacy law. CNIL added that the infringements by Google were still occurring.
“We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law,” said Max Schrems, the chairman of noyb.
“Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products.
“It is important that the authorities make it clear that simply claiming to be complaint is not enough. We are also pleased that our work to protect fundamental rights is bearing fruit. I would also like to thank our supporters who make our work possible.”