(0)20 3051 2049
Google has been fined 50 million euros (£44m) by the French data regulator CNIL, for a breach of the EU’s data protection rules.
The first of several complaints were filed on 25th May 2018 – the day the legislation took effect.
Whilst UK law firms may not be exposed to quite such a high fine the news – which is being widely reported in the global media today – shows that issues around GDPR are alive and well and not to be ignored.
CNIL said it had levied the record fine for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”. The regulator said it judged that people were “not sufficiently informed” about how Google collected data to personalise advertising.
Complaints against Google were filed in May 2018 by two privacy rights groups: noyb and La Quadrature du Net (LQDN).
The groups claimed Google did not have a valid legal basis to process user data for ad personalisation, as mandated by the GDPR.
According to the BBC the regulator said Google had not obtained clear consent to process data because “essential information” was “disseminated across several documents”.
“The relevant information is accessible after several steps only, implying sometimes up to five or six actions,” the regulator said.
“Users are not able to fully understand the extent of the processing operations carried out by Google.”
Additionally, the regulator said Google had failed to obtain a valid legal basis to process user data. “The information on processing operations for the ads personalisation is diluted in several documents and does not enable the user to be aware of their extent,” it said.
It said the option to personalise ads was “pre-ticked” when creating an account, which did not respect the GDPR rules.
“The user gives his or her consent in full, for all the processing operations purposes carried out by Google based on this consent (ads personalisation, speech recognition, etc). “However, the GDPR provides that the consent is ‘specific’ only if it is given distinctly for each purpose.”
The regulator said it was Google’s “utmost responsibility to comply with the obligations on the matter”.
