Google has been fined almost $57 million by French regulators for violating Europe's tough new data-privacy rules, marking the first major penalty brought against a USA tech giant since the region-wide regulations took effect past year.
The French agency, CNIL, ruled today that the search giant had offered users inadequate information, spreading it across multiple pages, and had failed to gain valid consent for ads personalisation.
According to CNIL, Google's violations center around the ambiguity of information presented to users about their data collection and usage, as well as failure to include information about the data retention period for some information.More news: National Football League releases 2019 global schedule, no Steelers in sight
Google said in a statement it is "deeply committed" to transparency and user control as well as GDPR consent requirements. "It is important that the authorities make it clear that simply claiming to be complaint is not enough". None of Your Business, a nonprofit association that launches court cases in support of the GDPR, and La Quadrature du Net, a French digital rights advocacy group, both accused Google of not having a valid legal basis to process user data for ad personalization, as is required by the GDPR.
The Reg asked Google to comment and will update the article when we receive a reply.
CNIL took the lead on the investigation because, while Google's European Union headquarters are in Ireland, it has no decision-making power when it comes to how Google treats people's data.
The outside of the Google offices is seen in Manhattan in New York City, New York, U.S., January 18, 2019.More news: 5 records made by Vicky Kaushal's Uri: The Surgical Strike in just 10 days
They said Google had made it too hard for users to understand and manage preferences on how their personal information is used, in particular with regards to targeted advertising. Google's description of why it's processing their data is "described in a too generic and vague manner", it added.
It said the option to personalise ads was "pre-ticked" when creating an account, which did not respect the GDPR rules.
France's maximum data protection fine used to be a mere €150,000, though it upped that to €3 million in the two years before the GDPR law took effect.
Under the law, it can award fines of up to €20m or 4 per cent of annual turnover - and it has wielded the new power with aplomb, handing out a €50m penalty.More news: Tesla To Cut 7 Percent Of Workforce
The French watchdog said it set the fine at €50 million in light of the severity of the infringement.