Google has been fined $56.8 million by privacy regulators in France, marking the country’s first use of the tough new privacy rules enacted in Europe last year. Specifically, the company is accused of violating provisions of the General Data Protection Regulation (GDPR) by using, without proper consent, the private data of users to craft personalized ads; and by burying key privacy disclosures pages deep, amid oceans of text.
In a statement Monday, France’s privacy watchdog, CNIL, said that Google had been fined for needlessly obscuring information concerning the processing of its users’ data, which Europe’s privacy rules demand be made more easily accessible. Essential information about how user data is processed, stored, and used, it said, was “excessively disseminated across several documents.” It required, in some cases, up to five or six steps to unearth key disclosures, including details of how Google amasses personal information to help it pinpoint a user’s location.
Some of the information, it said, “is not always clear nor comprehensive.”
While Google says it obtains the consent of consumers prior to using their data to personalize ads, the French commission found Google’s process for informing users about what precisely they’re consenting to to be wholly inadequate. Users are “not sufficiently informed,” it said, finding Google’s language “vague” and its violations to be “continuous.”
In regard to the violations, CNIL wrote:
Users are not able to fully understand the extent of the processing operations carried out by GOOGLE. But the processing operations are particularly massive and intrusive because of the number of services offered (about twenty), the amount and the nature of the data processed and combined. The restricted committee observes in particular that the purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes. Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company. Finally, the restricted committee notices that the information about the retention period is not provided for some data.
Google told reporters in response that it was “studying the decision” to inform its next steps. “People expect high standards of transparency and control from us,” it said, adding that it remained “deeply committed to meeting those expectations and the consent requirements of the GDPR.”
TV station France 24 reported that CNIL’s judgement followed complaints filed by two advocacy groups in May—one by La Quadrature du Net, the French digital rights group, and another by Austrian privacy activist Max Schrems.
“We have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products,” Schrems reportedly told the station. “It is important that the authorities make it clear that simply claiming to be compliant is not enough.”