France’s data protection watchdog CNIL has slugged Google with AU$79 million (€50 million) fine for not gaining valid consent from Android users to use personal data for ads personalization and for providing inadequate information about how the data would be used.
The fine, announced on Monday, is the first time CNIL — France’s National Data Protection Commission — has imposed a financial penalty for non-compliance with the Europe’s General Data Protection Regulation (GDPR). Maximum fines under GDPR, which came into effect on May 25, can reach €20 million or four percent of annual global turnover.
Google's fine is the largest yet under Europe's new data protection laws. Uber, for example, got away with a comparatively light fine from CNIL of $460,000 (€400,000) in December because it concerned a data breach that occurred in 2016, before GDPR came into force.
Google’s fine was for major problems CNIL found with how Google gained Android users’ consent to process their personal data and how Google organised the information explaining how it processes that data. Google could also face future fines over the issue because Google’s violations of GDPR are “continuous breaches” that are still observed today.
“It is not a one-off, time-limited, infringement,” CNIL notes.
CSO Online has asked Google for a comment and will update the story if it receives a response.
CNIL kicked off its investigation on June 1, following two group complaints, one of which was filed within hours of GDPR coming into effect.
The first complaint was filed by None Of Your Business (“NOYB”), a non-profit run by Austrian privacy activist Max Schrems.
NYOB argued that consent was not valid under GDPR if the user has no real choice or suffers as a consequence of it.
Since consent wasn’t for a specific service, it would make the consent invalid, NYOB argued, noting Google’s “vague and unclear description” of the legal basis it relied on to gain consent.
CNIL’s committee that investigated the complaint agreed with NYOB, noting today that they found Google descriptions of the purposes for processing personal data and the categories of data processed were “too generic and vague”.
“Users are not able to fully understand the extent of the processing operations carried out by Google. But the processing operations are particularly massive and intrusive because of the number of services offered (about twenty), the amount and the nature of the data processed and combined,” wrote CNIL.
CNIL in September inspected Google's mobile sign-up pages to verify its compliance with GDPR by looking at how users would browse Google’s documents on a mobile Android device.
It notes that “essential information” like a description of data processing purposes and types of data used for ad personalization are “excessively disseminated across several documents”. Also, it took users 5 or 6 steps to find complete information on data collected for personalization and location tracking.
Google didn’t validly gain user consent because the consent was neither “specific” nor “unambiguous”, as required under GDPR.
Consent is “specific” only if it s given for each purpose, according to CNIL, which Google’s checkbox covering all processing operations didn’t satisfy.
Explaining the massive fine, CNIL says the infringements found “deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations.”