French data watchdog dishes out largest GDPR fine yet: Google ordered to hand over €50m

CNIL brands ad personalisation consent invalid, slams lack of transparency

Google has been fined a mammoth €50m by the French data protection watchdog for GDPR violations in a victory for Max Schrems' privacy group NOYB.

The French agency, CNIL, ruled today that the search giant had offered users inadequate information, spreading it across multiple pages, and had failed to gain valid consent for ads personalisation.

Acting on a complaint from NOYB and French group La Quadrature du Net, the agency said it had investigated the process for setting up a Google account from an Android device.

The CNIL concluded that Google had breached the General Data Protection Regulation in two ways: by failing to meet transparency and information requirements, and failing to obtain a legal basis for processing.

Under the law, it can award fines of up to €20m or 4 per cent of annual turnover – and it has wielded the new power with aplomb, handing out a €50m penalty.

In a statement, the agency slammed the Chocolate Factory for a lack of transparency, and said that users weren't able to understand the extent of Google's "massive and intrusive" data processing.

The information Google does provide "is not easily accessible for users", it said, as it is "excessively disseminated across several documents" and requiring as many as five or six actions to access.

"For instance, this is the case when a user wants to have a complete information on his or her data collected for the personalization purposes or for the geo-tracking service."

In addition, the CNIL said users "are not fully able to understand" the extent of Google's data processing, which is described as "massive and intrusive" given the number of services – 20 – offered and the sheer volume of data involved.

"The purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes," the CNIL added.

Consent

Users are also unable to understand that Google is relying on consent as the legal basis for processing under GDPR, rather than the legitimate interest of the company.

And the consent it gathers up for ads personalisation is not valid, according to the CNIL's assessment, because it isn't specific or unambiguous, and users aren't sufficiently informed.

"The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent," the CNIL said.

The agency acknowledged that a user can make some modifications to their account once they have created it – but said "this does not mean that the GDPR is respected".

Rather, it pointed out that not only is this buried under a "more options" button, but also that the choice of ads personalisation is a pre-ticked box (this is a GDPR no-no as consent is only considered unambiguous if there is a clear affirmative action from the user).

Neither is the consent specific, the CNIL said, because Google requires full agreement to the Terms of Service and data processing in the Privacy Policy, rather than unbundling the different purposes, such as ads personalisation or speech recognition.

The CNIL said the fine, the biggest handed out for a data protection violation and the French agency's first penalty under GDPR, are "justified by the severity of the infringements".

"Moreover, the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement."

So far, GDPR fines have been much smaller under the new regime: Germany handed out a €20,000 fine to a chat app, Austria €4,800 for unlawful use of CCTV, and Portugal €400,000 to a hospital for allowing staff to gain unlawful access to data.

Max Schrems, chairman of NOYB, welcomed the fine. "Large corporations such as Google simply 'interpret the law differently' and have often only superficially adapted their products," he said.

"It is important that the authorities make it clear that simply claiming to be compliant is not enough."

The Reg asked Google to comment and will update the article when we receive a reply. ®




Biting the hand that feeds IT © 1998–2019