Google Fined For GDPR Violation by French Data Protection Watchdog

Alex Hern, the Guardian:

The French data protection watchdog CNIL has fined Google a record €50m (£44m) for failing to provide users with transparent and understandable information on its data use policies.

For the first time, the company was fined using new terms laid out in the pan-European general data protection regulation. The maximum fine for large companies under the new law is 4% of annual turnover, meaning the theoretical maximum fine for Google is almost €4bn.

The fine was levied, CNIL said, because Google made it too difficult for users to find essential information, “such as the data-processing purposes, the data storage periods or the categories of personal data used for the ads personalisation”, by splitting them across multiple documents, help pages and settings screens.

That lack of clarity meant that users were effectively unable to exercise their right to opt out of data-processing for personalisation of ads.

Laws like these are no good without enforcement, so this fine is important if for no other reason than to reiterate that the E.U. intends to follow through. But, much like the fines being considered for Facebook in the United States, this is a relatively small fine for a company like Google. I’m not necessarily saying that this fine should have been larger; it is a first offence under this law, after all.

Also, I sincerely hope CNIL next goes after Criteo, a major French adtech firm. Navigating its website past the homepage automatically opts users into receiving cookies for highly-relevant retargeting purposes, which is prohibited under GDPR, and opt-out settings are buried in the website’s privacy policy.