Google was hit with a €50 (56,8) million financial penalty in accordance with the General Data Protection Regulation (GDPR) by the Commission Nationale de l’informatique et des Libertés (CNIL) for violating transparency and information obligations and for not obtaining user consent for processing data for ads personalization purposes.
The French watchdog’s fine against Google follows complaints filed by None Of Your Business (NOYB) and La Quadrature du Net (LQDN) on 25 and 28 May 2018 against Google LLC for “not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalization purpose.”
GDPR is a user and data privacy regulation which came into effect in the European Union on May 25, 2018, quickly put to use by NOYB to file four complaints against Google, Facebook, Instagram, and WhatsApp on the same day over their use of “forced consent.”
Google found to violate two GDPR requirements
CNIL launched an online inspection to check the compliance of Google’s processing operations with both the GDPR and the French Data Protection Act by “by analysing the browsing pattern of a user and the documents he or she can have access, when creating a GOOGLE account during the configuration of a mobile equipment using Android.”
The investigation led to the conclusion that the search giant was violating two GDPR provisions by not providing easy access to essential information regarding its services to its users, and not legally obtaining user consent to process data for ads personalization.
First, although Google does publish all the information required by the GDPR, the company makes it very hard for its users to find it and, in multiple cases, that information is not clear nor comprehensive according to CNIL.
Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information. The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions. For instance, this is the case when a user wants to have a complete information on his or her data collected for the personalization purposes or for the geo-tracking service.
Secondly, even though Google says that it asks for its users’ consent before processing data meant for ads personalization, CNIL’s restricted committee found that is not the case given that users are not sufficiently informed during this process and the consent is neither “specific” nor “unambiguous,” as required by the GDPR.
Indeed, the user not only has to click on the button “More options” to access the configuration, but the display of the ads personalization is moreover pre-ticked. However, as provided by the GDPR, consent is “unambiguous” only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance). [..] Therefore, the user gives his or her consent in full, for all the processing operations purposes carried out by GOOGLE based on this consent (ads personalization, speech recognition, etc.). However, the GDPR provides that the consent is “specific” only if it is given distinctly for each purpose.
As concluded by CNIL’s press release (original French version here) regarding Google’s €50 million financial penalty, the fine was justified by the gravity of the company’s infringements of essential GDPR principles such as information, transparency, and consent.
Google not the first nor the last to violate EU’s GDPR
The severity of the violations, in this case, was also amplified by the fact that Google is still violating GDPR’s provisions in a continuous form as detailed by the French watchdog’s report.
Meanwhile, Google-owned YouTube is also the target of a GDPR complaint filed by NOYB for violating the “right to access” provision described in the EU regulation’s Article 15, with a maximum penalty that could reach €3.87 Billion according to the NGO.
Multiple tech companies were targeted with GDPR complaints after the regulation was enacted in the EU, with Google previously being under fire during November 2018 as the main culprit in complaints filed by multiple consumer groups according to The European Consumer Organisation for deceptive practices to track user location.
Additionally, Acxiom, Oracle, Criteo, Quantcast, Tapad, Equifax, and Experian were also subjects of a GDPR complaint filed by user rights group Privacy International because of their practice of collecting the data of millions and using it to create user profiles.