France’s data privacy regulator imposed a €50 million fine against Mountain View search giant Google for violating the European Union’s (EU) General Data Protection Regulation (GDPR).
The fine represents the largest fee imposed on a company for failing to meet GDPR obligations.
According to a January 21st, 2019 media release issued by the Commission nationale de l’informatique et des libertés (CNIL), Google violated the GDPR’s “obligations of transparency and information” by inadequately expanding on the company’s data processing purposes, data storage periods and categories of personal data used for ad personalization.
“Users are not able to fully understand the extent of the processing operations carried out by Google,” reads an excerpt from the same January 21st CNIL media release.
France also fined Google for failing to “have a legal basis for ads personalization processing.”
“The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent,” reads another excerpt from the same media release.
CNIL added that Google inadequately obtained user consent for ad personalization in a way that was specific or unambiguous.
“Despite the measures implemented by Google (documentation and configuration tools), the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations,” wrote CNIL.
CNIL noted that Google does attempt to properly inform users about the company’s data collection procedures, but that the information provided isn’t enough for the company to meet the EU’s GDPR requirements.
“…Taking into account the important place that the operating system Android has on the French market, thousands of French people create, every day, a Google account when using their smartphone,” said CNIL.
The GDPR — which came into force on May 25th, 2018 — is a comprehensive collection of data protection laws aimed at ensuring companies adequately provide users with transparent information about how personal data will be used.
The Verge reported that Google’s €50 million fine is the largest GDPR fine to date.
“People expect high standards of transparency and control from us,” wrote a Google spokesperson, in an email to MobileSyrup.
“We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”
Though unrelated to the GDPR, the EU fined Google approximately $6.68 billion in July 2018 for breaking the EU’s antitrust laws through the Android mobile operating system.
Google CEO Sundar Pichai said his company would appeal the EU’s decision.