Google hit with £44 million fine for breaching GDPR

Wednesday, 23 Jan, 2019

France's regulatory body dealing with data privacy has fined Google €50 million regarding advertisers' access to users' personal data, it announced on Monday.

CNIL said it found two types of violations of European Union law, one for lack of transparency and information, the other for not having a legal basis to process user data for personalized advertisements.

'Also, the information provided is not sufficiently clear for the user to understand the legal basis for targeted advertising is consent, and not Google's legitimate business interests, ' the CNIL said.

USA consumer advocates on Monday strongly encouraged Washington to follow Europe's lead.

The basis of the fine is that Google doesn't give customers enough information about how their data is being used.

Users' "consent" is now set as the global default setting, which fails to meet the regulator's requirement that companies obtain "specific" consent.

Google has been handed a €50m (£44m) fine by the French data protection regulator CNIL for breaching GDPR.

Around 10,000 people signed the initial petition to initiate an investigation, which was filed by France's Quadrature du Net group and None Of Your Business, an NGO which advocates for consumer privacy.

Although most major tech organizations - including Google - made sweeping changes a year ago in response to the passage of the GDPR rules, the CNIL says that Google hasn't done enough. "For example, in the section 'Ads Personalization, ' it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, You tube, Google home, Google maps, PlayStore, Google pictures...) and therefore of the amount of data processed and combined".

Even though many tech multinationals like Google are headquartered in the US, they still have to comply with the new rules because they have millions of users in Europe. Companies can be fined a maximum of 4% of their annual global turnover. The regulation was brought into force on May 25, 2018 and CNIL (National Data Protection Commission) immediately received complaints in regard to Google's services.

In response, a Google spokeperson told The Local that the firm was "deeply committed" to transparency and control, and was "studying the decision" to determine what it would do next.

"It is likely that many people will say "no" to being profiled by Google when they learn the truth", he said.

The decision comes just days after noyb filed a new series of privacy complaints across Europe, this time targeting companies that include Google's YouTube, Amazon.com Inc., and Netflix Inc.