Google gets 50 million euro GDPR fine for lack of transparency

Published on Tuesday, January 22, 2019 - 09:03 by Peter Galdies

France’s Data Protection Authority, the CNIL, has announced a 50 million euro fine for Google.

The CNIL determined that personalisation of advertisements was conducted with a lack of transparency, inadequate information and no valid consent. While users can modify some options associated with the account and also configure the display of personalised ads this in itself was not enough as the consents collected were not “specific” or “unambiguous”.

The CNIL stated “That does not mean that the GDPR is respected. Indeed, the user not only has to click on the button ‘More options’ to access the configuration, but the display of the ads personalisation is moreover pre-ticked. However, as provided by the GDPR, consent is ‘unambiguous’ only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance). Finally, before creating an account, the user is asked to tick the boxes “I agree to Google’s Terms of Service” and “I agree to the processing of my information as described above and further explained in the Privacy Policy” in order to create the account. Therefore, the user gives his or her consent in full, for all the processing operations purposes carried out by GOOGLE based on this consent (ads personalisation, speech recognition, etc.). However, the GDPR provides that the consent is “specific” only if it is given distinctly for each purpose.”

They summarised: "The information provided is not sufficiently clear for the user to understand the legal basis for targeted advertising is consent, and not Google's legitimate business interests,"

This fine is the first imposed by the CNIL under the GDPR and it warns that further sanctions are on the agenda: “It is not a one-off, time-limited, infringement.”

Google has responded: "People expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of GDPR. We're studying the decision to determine our next steps."

Keen observers will note that consent granularity has been a grey area for many, with businesses often keen to aggregate processes into single consents and with little or no practical guidence on what to do. Hopefully this high profile early case will begin to illustrate just how granular consents must be during data collection.

The case was initiated by two associations, None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”). LQDN was supported by 10,000 people to refer the matter to the CNIL .

You can read the CNIL's statement here (in French).

 

Find out more..

If you are interested in any of our services then please either use the contact form or contact us via of the methods below:

  •   Telephone
  •   E-mail