On Monday, France imposed a $57 million fine against Google for violations of the Europe’s General Data Protection Regulation, due to their privacy and data collection practices being inadequate.
According to France National Data Protection Commission (CNIL), this is the largest fine handed out so far under GDPR, which is intended to protect Europeans’ personal data.
CNIL states that Google advertising personalization model – does not currently comply with GDPR, and the violations are continuous breaches of the regulation as they are still observed to date. Europe data protection authorities can impose fines of up to $23 million or at least 4 percent of an organization’s annual global revenue – whichever is greater – on any organization found to have violated GDPR.
In 2017, the annual global revenue for Google’s parent company Alphabet, was $110.8 billion. The maximum fine that could have been levied by CNIL would have been $4.4 billion.
Although, a $23 million fine won’t have a major financial impact on Google. Nevertheless, the penalty does serve notice that Europe privacy watchdogs are analyzing technology companies’ data collection and usage practices.
Other European complaints filed against Google under GDPR remain pending. Several consumer organizations in seven countries have filed complaints in November 2018 regarding how Google acquires permission to collect its users location, as well as their browsing data and interactions with mobile apps.
Google: We’re Committed to GDPR
CNIL’s action comes from its investigation of complaints filed by two privacy-focused advocacy groups called None of Your Business (NYOB) and La Quadrature due Net (LQDN). On May 25, 2018, NOYB filed its complaint – the day GDPR went into effect and LQDN filing its complaint three days later.
Max Schrems, an Austrian lawyer who is chairman of NOYB, hailed CNIL’s decision. Schrems is an data privacy activist, and it was his legal complaint involving Facebook that ultimately led to the invalidation of the Safe Harbor agreement in 2015 by the European Court of Justice.
As the deadline for GDPR approached, Google decided to deflect potential regulatory action by maintaining that its data processing systems were transparently described to consumers as well as by revamping some of its privacy controls.
Data Processing: Unclear
CNIL concluded that Google violated two aspects of GDPR, based on the regulator’s examination of the account creation steps in place on an Android phone.
First, CNIL alleges that Google does not transparently communicate the scope of data processing used for targeted advertisements. Second, CNIL says Google did not inform consumers about how their personal data would be used.
CNIL also states that Google doesn’t obtain proper consent for ad personalization. Google, doesn’t explain that ad personalization will run across services such as Google Play, Maps, YouTube and its search engine. Rather, Google’s documentation is “diluted” and doesn’t meet GDPR requirements that consent be obtained in a specific and unambiguous manner, it alleges.
An French regulator also took issue with Google’s default settings when an individual creates an account, which automatically pre-select a box that allows for ad personalization. Under the GDPR guidelines, consent is supposed to be unambiguous, in the sense that a user must take a purposeful action to select or opt in to such settings.
CNIL’s fine against Google is a clear warning to any firm that collects or processes Europeans’ personal data. ”
GDPR: Influencing the United States
Although GDPR only safeguards Europeans’ personal data, its impact is being felt worldwide. Companies such as Microsoft and Facebook have said they will apply GDPR’s principles worldwide. Many believe that the privacy law, over time, will cause privacy and data regulations around the world to offer greater protections.
Some countries will take longer to change their regulations. The United States, for example, still lacks a federal privacy law that applies to its consumers.
Last week, Sen. Marco Rubio, R-Florida, introduced the American Data Dissemination Act which provides consumers with basic data privacy rights and increased transparency about how their personal data gets collected and used.
Under Rubio’s plan, the Federal Trade Commission would give privacy recommendations to Congress six months after the law went into effect. If in two years Congress fails to act on these recommendations, the FTC could put into effect its own rules.