France hits Google with 50 million euro data consent fine
France hits Google with 50 million euro data consent fine
Joseph Schmid AFP • January 21, 2019
Paris (AFP) - France's data watchdog on Monday announced
a fine of 50 million euros ($57 million) for US search giant Google, using the
EU's strict General Data Protection Regulation (GDPR) for the first time.
Google was handed the record fine from the CNIL regulator
for failing to provide transparent and easily accessible information on its
data consent policies, a statement said.
The CNIL said Google made it too difficult for users to
understand and manage preferences on how their personal information is used, in
particular with regards to targeted advertising.
"People expect high standards of transparency and
control from us. We're deeply committed to meeting those expectations and the
consent requirements of the GDPR," a Google spokesperson said in a
statement.
"We're studying the decision to determine our next
steps."
The ruling follows complaints lodged by two advocacy
groups last May, shortly after the landmark GDPR directive came into effect.
One was filed on behalf of some 10,000 signatories by
France's Quadrature du Net group, while the other was by None Of Your Business,
created by the Austrian privacy activist Max Schrems.
Schrems had accused Google of securing "forced
consent" via its Android mobile operating software through the use of
pop-up boxes online or on its apps which imply that its services will not be
available unless the conditions of use are accepted.
"Also, the information provided is not sufficiently
clear for the user to understand that the legal basis for targeted advertising
is consent, and not Google's legitimate business interests," the CNIL
said.
"We have found that large corporations such as
Google simply 'interpret the law differently' and have often only superficially
adapted their products," Schrems said in a statement after the ruling.
"It is important that the authorities make it clear
that simply claiming to be compliant is not enough."
- 'Special responsibility' -
The GDPR is widely considered the biggest shake-up to
data privacy regulations since the advent of the web.
Even companies which are not based in Europe must follow
the tough new rules if they want their sites and services to be available to
European users.
The CNIL found that despite changes implemented by Google
since last year, it was still failing to respect the spirit of the new rules.
It noted for example that specifics on how long a
person's data is kept and what it is used for are spread across several
different web pages.
Modifying a user's data preferences also requires
clicking through a variety of pages such as "More Options", and often
the choices to accept Google's terms are pre-checked by default.
"This type of procedure leads the user to give
global consent... but the consent is not 'specific' as the GDPR requires,"
the regulator said.
It said the record 50-million-euro fine reflected the
seriousness of the failings as well as Google's dominant market position in
France via Android.
"Each day thousands of French users create a Google
account on their smartphones," the CNIL said.
"As a result the company has a special
responsibility when it comes to respecting their obligations in this
domain," it said.
It is not the first time the regulator has taken Google
to task over its policies.
In 2014 it fined the company 150,000 euros -- the maximum
possible at the time -- for failing to comply with its privacy guidelines for
personal data.
And in 2016 it imposed a 100,000-euro penalty over
non-compliance with the EU's "right to be forgotten" rule, allowing
people to request having references to them removed from search results.
Goole has contested the decision, saying it should apply
only to its European sites, such as Google.fr, and not the global Google.com
domain.
Earlier this month the advocate general for the European
Court of Justice in Luxembourg sided with Google in the case, though a final
ruling has not yet been announced.
Comments
Post a Comment