The French Data Regulator (CNIL) has fined Google €50 million (£44 million) for breach of EU data protection rules.
This world-record fine was in response to Google’s ‘lack of transparency, inadequate information and lack of valid consent regarding ads personalisation’.
The complaint was initially filed against Google by two European privacy rights groups on 25 May 2018 (the date GDPR came into effect). The groups argued that Google did not have a valid legal basis to process user data for ad personalisation, as required under the GDPR.
It was found that users are not able to fully understand the extent of the processing operations carried out by Google. Essential information was disseminated across several documents, making it difficult for users to find information such as the data-processing purposes, the data storage periods or the categories of personal data used for the ads personalisation, and therefore to opt out of data-processing for personalisation of ads.
It was also found that Google had not sought specific consent for the use of a user’s information for personalisation of adverts, but rather asked the user to give his or her consent in full for all the processing operations purposes carried out by Google. This approach is too broad, as under the GDPR consent should be given distinctly for each purpose. The option to personalise ads was also “pre-ticked” when creating an account, also in breach of GDPR rules.
Although a record breaking fine, under GDPR the maximum fine for large companies is 4% of annual turnover, meaning the theoretical maximum fine for Google is almost €4 billion.
The decision highlights the importance of companies being clear about how they hold and use data as well as ensuring suitable policies are in place – and sticking to them.