France’s data watchdog on Monday announced a fine of 50 million euros for US search giant Google, using the EU’s strict General Data Protection Regulation (GDPR) for the first time.
Google was handed the record fine from the CNIL regulator for failing to provide transparent and easily accessible information on its data consent policies, a statement said.
The CNIL said Google made it too difficult for users to understand and manage preferences on how their personal information is used, in particular with regards to targeted advertising.
“People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR,” a Google spokesperson said in a statement.
“We’re studying the decision to determine our next steps.”
The ruling follows complaints lodged by two advocacy groups last May, shortly after the landmark GDPR directive came into effect.
One was filed on behalf of some 10,000 signatories by France’s Quadrature du Net group, while the other was by None Of Your Business, created by Austrian privacy activist Max Schrems.
Schrems had accused Google of securing “forced consent” via its Android mobile operating software through the use of pop-up boxes online or on its apps which imply that its services will not be available unless the conditions of use are accepted.
“Also, the information provided is not sufficiently clear for the user to understand that the legal basis for targeted advertising is consent, and not Google’s legitimate business interests,” the CNIL said.
“We have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products,” Schrems said in a statement after the ruling.
“It is important that the authorities make it clear that simply claiming to be compliant is not enough.”