The National Data Protection Commission (CNIL) of France had issued a fine of €50 million (around $57 million) under the European Union’s new General Data Protection Regulation (GDPR) law on Google for “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.”
CNIL has conducted investigation after receiving several complaints against Google in May 2018 following which the fine was imposed. The complaints were made by two non-profit organizations—None Of Your Business (NOYB) and La Quadrature du Net (LQDN).
CNIL found that Google has violated two important privacy rules of the GDPR—Transparency, and Consent.
First, Google makes it tough for the users to obtain essential information, like the “data-processing purposes, the data storage periods or the categories of personal data used for the ads personalization,” by unnecessarily circulating them across different documents with buttons and links and requiring up to 6 separate actions to get to the information. Even after getting the information they might be either not clear or comprehensive.
Secondly, Google fail to obtain the user’s valid approval to process data for ads personalization purposes.
When a Google account is created the option to personalize ads is ticked by default which makes it difficult for the users to opt out of data processing for ads personalization. This is illegal under the GDPR says CNIL.
The organizations NOYB and LQDN also filed a complaint against Facebook.
This is not the first time Google has been fined under privacy violation. Last July, the company was levied with a record $5 billion fine by the EU in an Android antitrust case, which Google is still appealing.
Google was also fined a penalty of $2.7 billion (2.4 billion euros) in 2017 by the EU over shopping-search results in Google Search.
In response to the current fine, the company stated that, as people expect high standards of transparency and control from them, they are highly committed to meeting those expectations and the consent requirements of the GDPR. They are currently examining the decision to determine their next move.