The French data regulatory authority, the CNIL, has set a precedent which may rattle digital leaders across Europe, hitting the tech giant with a €50 million fine on Monday (21 January) for breaching EU data protection rules. EURACTIV France reports.
The fine, imposed under the EU’s General Data Protection Regulation legislation, is the first of its kind issued by a European regulatory authority.
“This is the first time that the CNIL has applied the new penalty thresholds provided for by the GDPR,” the French authority highlighted.
“The amount and the publicity of the fine are first justified by the seriousness of the deficiencies identified concerning the basic principles of GDPR: transparency, information and consent.”
France is criticising Google for not letting its users know what type of user data the Internet giant possesses.
“Essential information, such as the purposes for which data is used, the retention period for data and the categories of data used for customising adverts are excessively distributed in several documents, which comprises buttons and links which must be activated to become aware of additional information.”
Panic among IT leaders?
There is another problem IT managers are going to have to face: parameters of use. Google’s suggestion as to how users’ consent – or not – to give their data, and which data exactly, is too complicated, according to the CNIL.
The practice is common on the Internet, for search engines and other sites. In this case, the problem is that when creating an account, the user has to click on “More options” to be able to personalise the processing of their data, for advertising purposes, for example. Without this, they automatically get the default options, which include advertising.
As for the use of data itself, the CNIL deems that Google users are not able to give informed consent, both because changing the parameters involve several manipulations and because some options are pre-checked.
“The failures observed deprive users of fundamental guarantees concerning data processes that could reveal broad facets of their private life,” criticised the French authority.
GDPR fines can go increase to 4% of the global turnover of a company, under Article 89 of the text, CNIL underlined in their decision. In 2017, Alphabet generated €96 billion of turnover.
The regulatory authority regretted that GDPR infractions have not been corrected despite warnings. “Every day, thousands of French citizens create Google accounts” on Android, thus gifting their data to the Californian powerhouse.
Google responded to this clear criticism by saying that not all users create accounts and that only 7% of the French population use a Google account are actually affected by these issues.