Google fined €50m in scathing ruling by French privacy watchdog
French data watchdog CNIL has fined Google €50m and slammed the online giant’s privacy policies in a ruling on the company’s GDPR compliance.
In a ruling handed down on Monday, the regulator found the company’s data policies lacked transparency and that users’ consent for ad personalisation had not been validly obtained.
The regulator’s ruling followed complaints from two consumer digital rights groups, None Of Your Business and La Quadrature du Net, who claimed Google did not have the right to process users’ data for personalised ads under French law.
During its investigation the regulator looked at Google’s compliance under the French Data Protection Act and the GDPR in the company’s monitoring of users’ browsing pattern documents usage on Android devices.
The regulator found Google’s procedures for users to access their data were unnecessarily convoluted with the procedure taking up to six steps. The ruling also criticised the clumsy way information was given to users with the regulator pointing out data was often not comprehensive or clear and was frequently generic or vague.
Google also failed to provide information about the retention period of some data.
More scathingly, the CNIL found Google had not validly obtained users’ consent for processing data to serve personalised ads, ruling that users had not being sufficiently informed and that the acceptance of the terms was neither“specific” nor “unambiguous”.
“The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent,” the ruling stated.
“For example, in the section ‘Ads Personalization’, it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, You tube, Google home, Google maps, Playstore, Google pictures…) and therefore of the amount of data processed and combined.”
In levying the €50m fine, the regulator said Google continued to frustrate users’ ability to control their data, and wasn’t sufficiently informing them of how data would be used under the GDPR.
A Google spokesperson told Mumbrella the company was reviewing the ruling: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”
Mumbrella has contacted the Office of the Australian Information Commissioner as to what aspects of the French ruling may apply under Australian law and whether any similar complaints have been received.
