With the General Data Protection Regulation, Europe set out to unify privacy regulation and “ensure consistency of regulatory decisions for companies and EU citizens.” Google today was fined by France’s privacy regulator over the “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.”
This investigation began last year when France’s National Data Protection Commission (CNIL) received complaints over Google’s handling of personal data, especially in regards to ads. The French regulator specifically found two GDPR breaches after conducting online inspections in September 2018 on Android.
“A violation of the obligations of transparency and information” centers around Google not centralizing “essential information” on one page, and instead requiring users to go through “up to 5 or 6 actions.”
Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information.
Additionally, regulators found that “some information [was] not always clear nor comprehensive,” while Google did not disclose how long it maintains user information.
The restricted committee observes in particular that the purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes. Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company.
Meanwhile, the second focusses on a “violation of the obligation to have a legal basis for ads personalization processing,” or Google not providing an explicit enough opt-in for advertising during the Account sign-up process on Android.
However, as provided by the GDPR, consent is “unambiguous” only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance).
As a result, Google was fined €50 million and could receive further penalties if it does not amend these practices. To date, this is the largest fine (via The Verge) issued against a company since GDPR came into effect last year.