Google fined £44m for GDPR breach

Google has failed to provide transparent and easily accessible information on its data consent policies the French data watchdog, the Commission Nationale de l’Informatique et des Libertés (CNIL) found.

CNIL has imposed a £44 million fine following the results of an inquiry into GDPR compliance complaints put forward by French privacy rights organisations None Of Your Business and La Quadrature du Net.

Google failed to satisfactorily inform users about how their data is collected and used in serving advertisements and marketing messages, CNIL announced earlier this week.

The agency stated that Google failed to properly obtain user consent for the purpose of using their data to serve personalised advertising.

CNIL confirmed the fine in a statement: “The CNIL’s restricted committee imposed a financial penalty of 50 million euros against the company Google LLC, in accordance with the GDPR, for lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.”

Google breached several violations including the fact that essential information on privacy Google provides to users is not easily accessible.

In its compulsory terms and conditions, Google does not spell out why it is using personal data, how long the data is stored, or what categories of data are set to be used for targeting advertising.

CNIL found that key information is “excessively scattered throughout several documents, which include buttons and links that it is necessary to activate to read additional information.

“Relevant information is accessible only after several steps, sometimes involving up to five or six actions.”

The data violation was described as “massive and intrusive” due to the number of services offered, pushing twenty in total, the nature of the data required for users to process and filter is excessive and described by CNIL as: “not sufficiently clear for the user to understand that the legal basis of the advertising personalisation treatments is the consent, and not the legitimate interest of Google.”

Google is the first major US technology company to be punished for failing to meet the GDPR regulations since the European Union introduced the privacy-focused rules in May 2018.

• Read more Getting set for GDPR

Google chief financial officer Ruth Porat spoke today at the World Economic Forum and likened the value of data to the world most valuable commodity, according to Business Insider Porat said: ”Data is more like sunlight than oil … It is like sunshine, we keep using it and it keeps regenerating.”

Porat pointed to the way in which Google uses data for good including research and the development of an algorithm to detect the spread of breast cancer. She made no comment on the data fine, however did note: “We support privacy laws in the US and trust is paramount.”

Porat refused to comment on the fine Google received the day prior to her speech.

The penalty fine may seem like a win for users privacy rights, however The Telegraph reported that one Facebook executive-turned-professor suggested the fine against Google is a calculated move proving “Europe was out for American blood in a bid to protect their own technology industry.”

Former Facebook chief information security officer Alex Stamos turned to Twitter to explain the “terrible privacy issues with ad networks,” he stated it would be “very hard to find a European advertiser who lives up to these standards.”

There are terrible privacy issues with ad networks, trackers, analytics engines, optimizers, etc. There is also the difficult question of figuring out how content is paid for online. One way to avoid dealing with that conflict is to use GDPR as a PR tool against US companies.

— Alex Stamos (@alexstamos) January 21, 2019

While Google is the first organisation to be fined by breaching GDPR compliance, it is not the first investigation issued by CNIL, who handed a cautionary warning to French-based advertising technology company Vectaury in November last year.

Vectaury collects and processes geolocation data through a software development kit for programmatic advertising. CNIL called out Vectaury on its consent management platform, finding it failed to supply a lack of consent for its users to be adequately informed and specific opt-in options.

The company had three months to purge any data that was collected without consent, stop processing location data without a legal basis to do so and to present all of its practices are compliant for the CNIL.