France’s data-privacy watchdog, known as the CNIL, slapped Google with a €50 million ($56.8 million) fine on Monday (Jan. 21), claiming the US tech giant was in breach of Europe’s new General Data Protection Regulation (GDPR), which was designed to protect consumers’ rights to privacy and anonymity when it comes to the data they share with businesses.
Although Google is a US company, any business that takes personal data from consumers residing in the European Union must be compliant, or risk hefty fines. According to the CNIL’s statement, Google violated GDPR for “lack of transparency, inadequate information, and lack of valid consent regarding the ads personalization.” This marks the first major penalty against a US company for violating the regulations, which took effect in May.
Among other issues, the CNIL found that Google made information about data processing and storage times, and the way such information is used for personalized ads, difficult for consumers to access. ”The relevant information is accessible after several steps only, implying sometimes up to five or six actions,” reads to the statement. The CNIL also found that, although users can choose to configure their personalized ads, Google makes these options challenging to find, and pre-ticks boxes to opt in, rather than asking users to expressly give their consent.
Two complaints issued in May 2018 triggered the investigation, which began immediately after the ratification of GDPR. One of those complaints came from Austrian privacy activist Max Schrems, who heads the nonprofit None of Your Business (NOYB), and has brought similar suits against Facebook.
“We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law,” Schrems said in a statement. ”Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products…It is important that the authorities make it clear that simply claiming to be compliant is not enough.”