France’s data protection authority issued a 50 million euro fine against Google on Monday for failing to comply with the General Data Protection Regulation.
Not only was Google found not to have the proper consents in place from its users to collect and process data for personalization and ad targeting, it may not even have a legal basis to do so at all since users are so ill informed about what Google wants to do with their data.
Google relies on consent to process user data for personalization purposes.
According to the CNIL (the Commission nationale de l'informatique et des libertés), Google’s process for obtaining consent isn’t transparent or specific enough and doesn’t give users the information they need to make an informed decision. [Click here to read the English translation of the CNIL’s sanction.]
The CNIL also claims that Google’s approach to data collection is “particularly massive and intrusive” because it doesn’t gather consent for ad personalization for each of Google’s different services separately, including Search, YouTube, Google Home, Google Maps, the Play Store, Google Photo and others.
In other words, Google was found to have committed a cardinal sin under GDPR, which states that a company must obtain consent for each specific way it wants to use personal data. Google also pre-checks boxes by default during the consent gathering process, which is another major GDPR no-no.
The CNIL’s ruling follows a series of complaints filed by two nonprofit groups, La Quadrature du Net and None Of Your Business (NOYB), both of which accused Google of not having a legal basis for processing the personal data of its users.
None Of Your Business is led by Max Schrems, the Austrian lawyer and privacy campaigner responsible for bringing the 2013 legal challenge against Facebook’s international data-sharing practices that ultimately overturned the Safe Harbor agreement.
On May 25, 2018, the day GDPR went into effect in Europe, Schrems and None Of Your Business filed a class action lawsuit against Google for “coercing” its users into giving consent for data collection, which is what the CNIL is now reacting to. Schrems also filed suits against Facebook, Instagram and WhatsApp that day, so another shoe may yet drop impacting Google’s co-duopolist.
The NOYB suits were filed in France, Austria, Belgium and Hamburg, Germany – all jurisdictions with active data protection authorities.
“These places were not chosen arbitrarily or by accident,” noted Dominique Shelton, co-chair of the ad tech privacy and data management practice at Perkins Coie, in a previous interview.
Until now, the CNIL had focused most of its attentions on the little guys, using public enforcement actions to make an example of smaller companies. These companies, mainly French ad tech startups focused on the location data space, were given time to mend their ways rather than being hit with a fine right off the bat.
The CNIL’s action against Google could be “a symbolic message sent to show that not only small companies are targeted by the CNIL – even if 50 million euros is probably only 15 days’ worth of Google France’s revenue,” a French ad tech executive told AdExchanger.
Monday’s fine against Google, which translates to roughly $57 million, is the largest GDPR-related penalty to date and the first time either Google or Facebook is being called to task for running afoul of Europe’s new privacy laws. But it is also chump change for Google, whose ads business brings in billions every quarter.
However, the ruling is portentous for how European regulators feel about the duopoly: wary of large, US-based technology companies and more than willing to crack down.
In July of last year, the European Union hit Google with a $5.1 billion fine for breaking antitrust laws for striking deals with phone manufacturers to favor its Android operating system.