In the first major regulatory action of the GDPR era, Google has been fined €50m ($57m, £44m) in France for failing to notify users about how their data is used.
French regulator CNIL issued the fine this week after complaints by two rights groups, noyb and La Quadrature du Net (LQDN), one of which was filed on the day the new legislation came into force.
CNIL claimed it observed two breaches of the GDPR.
First, Google violated the obligation of transparency because “essential information” on how users’ data is processed to personalize ads is spread out across multiple documents. In addition, some of the info “is not always clear nor comprehensive,” the regulator said.
Second, Google did not have a legal basis to process data for ad personalization because user consent was not validly obtained. The reason for this, again, is that user consent is not sufficiently informed, given the difficulty of locating the relevant info across numerous documents.
Also, when creating a Google account, the user must click through to modify options, with the ad personalization box pre-ticked: another no-no in the GDPR era.
The case relates specifically to the creation of a Google account on Android. Although Google’s European headquarters is in Ireland it was decided the local data protection authority there did not have a decision-making power over the OS and services.
“This is the first time that the CNIL applies the new sanction limits provided by the GDPR,” the French regulator concluded. “The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.”
Google reportedly said it is “studying the decision” before deciding on what to do next.
AlienVault security advocate, Javvad Malik, argued that organizations dealing with customer data need to ask themselves two questions.
“First, what purpose the data is being used for and for how long? Secondly, have the users truly given informed consent? If the answer to either is unclear, then they should not go ahead with it," he said.
Ron Moscona, a partner at the international law firm Dorsey & Whitney, said the fine was a warning shot across the bows of the digital industry as a whole.
“The data obtained from users can be hugely valuable. Consent can be a significant hurdle to harvesting that data. Business models are evolving, and companies are beginning to learn what regulators in the EU expect," he added.
“"This result is more proof that the GDPR presents a hurdle to the way companies collect and monetize data on the internet. We’ve seen these companies evolve before to deal with regulation, and penalties such as CNIL levelled here will undoubtedly inspire them to evolve even further.”