Google has been fined $56.8 million for breaking the EU's GDPR rules

Posted January 23, 2019

Under the E.U's data privacy law, tech giants including Google must give users a full, clear picture of the data they collect, along with simple, specific tools for users to consent to having their personal information harnessed.

France's data protection watchdog is slapping Google with an unprecedented fine citing the company's failure to meet privacy and transparency standards with user information. They also say that the pop-ups now used by the company to ask for consent on Android software seem to threaten that services will not be available if the users don't accept the terms.

The ruling grew out of complaints filed in May by the groups None Of Your Business, helmed by privacy advocate Max Schrems, and La Quadrature du Net.

"We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law", said Schrems in a statement. The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions.

"Google also did not properly obtain users' consent for the goal of showing them personalized ads", the Washington Post reported.

Second, control of the ad personalization data is provided to the user but is more or less tucked away under a "more options" page when creating an account that most users won't even think to click on.

"The purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes", the CNIL added. They are "transparency, information and consent", it said Monday in a statement.

The GDPR, which went into effect in May, introduced tougher rules on processing and storing personal data and requires companies to seek explicit consent before using personal data. Google also did not provide the retention period for some user data as required by the GDPR and FDPA, according to the regulators. Google also pre-ticks the boxes through which people agree to ad-personalisation. "The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR - transparency, information and consent". The regulation set forth universal data privacy laws across the European Union and created projections for user's online data. For that reason, the fine actually targeted Google LLC, in the US.

"This is going to change the perspective between the profits that internet companies are able to make from the data of users and the risk of being sanctioned with fines", Mr. Dana said.