The first big fine under the European Union's General Data Protection Regulation (GDPR) has finally arrived — a €50m fine for Google from the French data protection authority, CNIL.
CNIL said the fine was for breaking the GDPR's rules around transparency and having a valid legal basis when processing people's data for advertising purposes.
This is by far the largest fine to be imposed thus far under the new EU-wide privacy law, which has been in effect for eight months. The previous record was a €400,000 fine imposed on a Portuguese hospital.
The fine follows complaints from privacy activists in late May last year. Max Schrems and his None Of Your Business (NOYB) non-profit had been first off the blocks, complaining against Google and Facebook minutes after the GDPR took effect on May 25th. The French digital rights group La Quadrature du Net also lodged a complaint about Google a few days later.
Both of the Google complaints were essentially about "forced consent" — they accused Google of lacking a sound legal basis for processing people's data, because it railroaded them into consenting to processing that they did not understand.
"We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law," said Schrems in a statement.
"Following the introduction of GDPR, we have found that large corporations such as Google simply 'interpret the law differently' and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough," he said.
Google told ZDNet in a statement: "People expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of the GDPR. We're studying the decision to determine our next steps."
CNIL took the lead on the investigation because, while Google's EU headquarters are in Ireland, it has no decision-making power when it comes to how Google treats people's data. For that reason, the fine actually targeted Google LLC, in the US.
SEE: IT pro's guide to GDPR compliance (free PDF)
In September last year, the French regulator studied the information that's made available to users when they create a Google account on a new Android phone.
Users who do this are presented with much of the information that's required under the GDPR — about the purposes of data processing, data storage periods and categories of personal data — but the information is "excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information," CNIL said in a statement.
"The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions," CNIL said. "For instance, this is the case when a user wants to have… complete information on his or her data collected for the personalization purposes or for the geo-tracking service. Moreover, [CNIL] observes that some information is not always clear nor comprehensive."
The regulator also pointed out that Google is "too generic and vague" when telling users how it will use their data, and there is also information missing about how long the data will be stored.
The end result is that Google doesn't have people's valid consent for the processing of their data — the consent is neither "specific" nor "unambiguous", as the GDPR requires, CNIL said. Google also pre-ticks the boxes through which people agree to ad-personalisation.
CNIL also took issue with the fact that Google gets users' data-processing consent through a catch-all "I agree to Google's Terms of Service" tickbox, not through fine-grained boxes that make sure users understand what they're getting into.
France's maximum data protection fine used to be a mere €150,000, though it upped that to €3 million in the two years before the GDPR law took effect. Now that the new, EU-wide law is in place, the maximum is €20 million or 4 percent of global annual revenues.
Google parent Alphabet recorded $110.8 billion in revenues for 2017, meaning CNIL could have theoretically hit the company with a fine of almost €4 billion.
The French watchdog said it set the fine at €50 million in light of the severity of the infringement. That's not the end of the story. If Google does not alter its ways, it can still be hit with further fines for non-compliance. Ultimately, the GDPR's power is not just about monetary penalties, but forcing changes to business models.
PREVIOUS AND RELATED COVERAGE
Tonya Hall sits down with Einaras Von Gravrock, CEO at CUJO AI, and talks about the cybersecurity boost coming from the GDPR.
Microsoft pledges to address issues; has already released a "zero exhaust" Office telemetry setting.
GDPR complaints have been filed today against Google in the Netherlands, Poland, the Czech Republic, Greece, Norway, Slovenia, and Sweden.
Only 29% of EU organizations are GDPR compliant (TechRepublic)
Despite the May 2018 deadline, most companies have not implemented all necessary GDPR changes, according to an IT Governance report.
Canadian firm AggregateIQ, linked to the Facebook & Cambridge Analytica data scandal, is the first to be put on notice.
The fine is the biggest imposed under the General Data Protection Regulation.