Alphabet’s Google was at the receiving end of a hefty fine of €50m by France’s privacy regulator, which used
its new powers to levy much higher penalties for the first time under
European Union data protection rules.
France’s data authority CNIL said the amount of the fine was
“justified by the severity of the infringements observed regarding the
essential principles” of the EU’s General Data Protection Rules, or
GDPR. They are “transparency, information and consent,” it said on Monday
in a statement.
The EU rules took effect across the 28-nation bloc on May 25, and
gave national privacy regulators equal powers to fine companies as much
as 4% of global annual sales for the most serious violations.
Google has come under CNIL’s scrutiny many times before, but under the
old rules, fines couldn’t exceed the maximum of €150 000. While
this is the first time CNIL has benefited from the new rules, several
other countries have issued fines.
The decision can be appealed. It was triggered by two complaints, one from noyb, a group created by Austrian privacy activist
Max Schrems. Google was accused of forcing users to agree to new privacy policies.
“People expect high standards of transparency and control from us,”
Google said in an emailed statement. “We’re deeply committed to meeting
those expectations and the consent requirements of the GDPR. We’re
studying the decision to determine our next steps.”
Schrems said his group is “very pleased” to see the new EU rules
being applied. “It is important that the authorities make it clear that
simply claiming to be compliant is not enough.”
CNIL said it found two types of violations of EU law, one for lack of
transparency and information, the other for not having a legal basis to
process user data for personalised advertisements.
“Despite the measures implemented by Google (documentation and
configuration tools), the infringements observed deprive the users of
essential guarantees regarding processing operations that can reveal
important parts of their private life since they are based on a huge
amount of data, a wide variety of services and almost unlimited possible
combinations,” CNIL said.
The breach also “is not a one-off, time-limited, infringement,” it said.
The decision comes just days after noyb filed a new series of
privacy complaints across Europe, this time targeting companies that include Google’s YouTube,