CNIL, the data protection regulator in France has issued a €50 million fine on Google for failure to comply with its GDPR obligations. This makes it the biggest GDPR fine yet that has been issued by the European regulator and a first for one of the tech giants to be found lacking of compliance to the regulations that came into force in May of 2018.
GDPR was brought in as an attempt to rein in the power that giant tech companies held and the threat they posed to our privacy. So this regulation has become the one weapon that restores a human’s right to privacy which brings us to Google’s massive GDPR fine.
Based on a complaint by Max Schrems’ privacy group NOYB and the French group La Quadrature du Net, CNIL investigated the process for setting up a Google account from an Android device. After doing so, they concluded that Google had breached the GDPR in 2 ways:
- Failure to meet transparency and information requirements
- Failure to obtain legal reasons for processing said data
As per the law, fine of up to €20m or 4 per cent of annual turnover can be awarded by the CNIL. This they have done with ease as they handed out a €50m penalty!
In a statement issued by them, the agency said that the fine was issued as Google failed to provide enough information to users about their data consent policies and also didn’t allow them to have enough control over the use of their data.
These violations are yet to be rectified by Google, according to the regulator.
The €50 million fine does seem large but it is miniscule when in comparison to the maximum limit that is allowed by the GDPR. According to the maximum limit, a company needs to be fined a maximum of 4% of the annual global turnover which made it $33.74 billion in just the last quarter, which is billions of dollars in fine!
Sonia Cissé, the managing associate at the London-based law firm Linklaters said, “More than just a significant amount of money, this sanction is particularly detrimental to Google as it directly challenges its business model and will, in all likelihood, require them to deeply modify their provision of services.”
When it comes to consent, users are unable to understand whether Google relies on consent as the legal basis for processing because of GDPR instead of just for their own interest. The consent it collects to personalize its ads gets diluted in several documents and doesn’t enable the user to be aware of their extent.
The CNIL acknowledged that users are able to make account modifications once created but it was hidden under a ‘more options’ button. Also the ads personalization choice was accompanied by a pre-ticked box which is a big no-no under GDPR laws as the consent is then considered ambiguous as there isn’t a clear affirmative action taken by the user.
Due to the severity of the infringements, CNIL believes that the fine, biggest handed out and first by the French agency, is justified. In their issued statement, “Moreover, the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.”
The chairman of NOYB, Max Schrems, welcomes the fine, “Large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”
In response to the fine, a spokesperson from Google conveyed how deeply committed they are to meeting the high standards of transparency and control that people have come to expect from it. In order to determine their next move, the company is studying the CNIL’s decision.
Google has then announced that it plans to appeal the fine as they were concerned about the impact this ruling would have on the publishers, the original content creators and the tech companies that are based in Europe and beyond. (AFP)