Data Backup Digest

Google have been fined a record €50m by the French data protection watchdog CNIL. Their fine comes for failing to give their users understandable information about how their data is being used.

The European general data protection regulation (GDPR) came into effect last year, after businesses had been given a year to prepare. The regulations forced many businesses to reassess how they hold customer’s personal data. It also gave European citizens stronger rights over what could happen to their data and their freedom to request a company to present everything it holds about them. The regulations apply to any business who holds data about a European citizen.

If a business fails to abide by the rules, they can be fined a maximum of 4% of their annual turnover. For Google, that would be almost €4bn, so you could say they got off lightly. Even though €50m is still a drop in the hat for the giant tech firm, it’s still likely to sting.

CNIL said the fine was given because Google made it hard for users to find important information by slicing it across multiple unrelated pages. Such information includes “the data-processing purposes, the data storage periods or the categories of personal data used for the ads personalisation”. This difficulty meant that users couldn’t clearly exercise their right to stop their data being personalised for adverts.

The watchdog also found that users weren’t specifically asked to opt-in to ad targeting, but rather only had to agree to Google’s terms and privacy policy. This conflicts with the GDPR requirement of consent being “specific” and “unambiguous”.

CNIL reasoned the large fine because Google’s violations were continuous and still happening, even after GDPR had come into effect. Because Google thrives on ad personalisation to sustain its business, the watchdog felt that Google of all companies had utmost responsibility to comply with regulation.

Last year, heat was placed on Google, and other large companies, after two pressure groups (None of Your Business and La Quadrature du Net) accused them of not having proper legal basis to process user data, particularly within an advert personalisation context. They said that these services unfairly offered an all or nothing approach and that explicit consent should be gathered considering how powerful the companies are.

The €50m fine is the world’s largest for breaking data protection regulations. Privacy advocators are no doubt pleased by the outcome and other businesses likely sitting up and paying attention – if they thought the GDPR fines were mere empty threats, this has shown them otherwise.

The fine follows Facebook’s €10m slapping from Italy’s competition regulation, after the company were found to be emphasising the free nature of the platform but failing to inform their users that their data would be used to generate profit for the company.

“People expect high standards of transparency and control from us,” said Google in a statement. “We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”