The French data protection regulator has issued the first fine under GDPR, slapping Google with a €50m (£44m) penalty for failing to provide transparent and easily accessible information on its consent policies.
The CNIL regulator said that Google made it too difficult for users to understand and manage preferences on how their personal information is used, in particular with regards to targeted advertising.
The ruling follows complaints in May from two European pressure groups, None Of Your Business (NOYB) and La Quadrature du Net. Both groups accused Google, as well as a number of other large Internet companies including Facebook, of not having a valid legal basis to process the personal data of users of its services, “particularly for advertisement personalisation purposes”.
At the time, NOYB, which is led by the Austrian privacy campaigner Max Schrems, argued that companies sought consent for advertising personalisation by offering a simple “take it or leave it” approach to the entire service, and said any such consent obtained should be considered invalid given the “powerful position these companies have”.
Schrems had accused Google of securing “forced consent” via its Android mobile operating software through the use of pop-up boxes online or on its apps which imply that its services will not be available unless the conditions of use are accepted.
In a statement after the ruling, Schrems said: “We have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”
Let battle commence: first GDPR complaints are filed
EU chief predicts first GDPR rulings before year-end
Data breach complaints soar by 160% in three months
The dam bursts: companies hit by flood of data requests
ICO takes no prisoners as complaints and fines rocket
Only a fifth of UK companies are compliant with GDPR