General Data Protection Regulation (GDPR) , Governance & Risk Management , Incident & Breach Response
France Hits Google With $57 Million GDPR FineRecord Privacy Fine Sends Strong Signal to Data Processing Technology Companies
France on Monday imposed a €50 million ($57 million) fine against Google for violations of the EU's General Data Protection Regulation, sending a strong to message to the technology giant that its privacy and data collection practices are inadequate.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The penalty, levied by the country's National Data Protection Commission, abbreviated as CNIL, is the largest fine handed out so far under GDPR, which is intended to better protect Europeans' personal data.
"The amount decided and the publicity of the fine are justified by the severity of the infringements observed regarding the essential principles of GDPR: transparency, information and consent," CNIL says. It has also published a longer penalty notice, written in French, outlining in full the fine against Google.
CNIL cautions that Google - including its advertising personalization model - does not currently comply with GDPR, and must come into compliance as quickly as possible. "The violations are continuous breaches of the regulation as they are still observed to date," CNIL says in its penalty notice. "It is not a one-off, time-limited infringement."
Google officials in Sydney say the company was studying CNIL's decision and that it is "deeply committed to meeting those expectations and the consent requirements of the GDPR."
EU data protection authorities can impose fines of up to €20 million ($23 million) or 4 percent of an organization's annual global revenue - whichever is greater - on any organization found to have violated GDPR. Regulators can also revoke an organization's ability to process individuals' personal data.
In 2017, the annual global revenue for Alphabet, Google's parent company, was $110.8 billion. Accordingly, the maximum fine that could have been levied by CNIL would have been $4.4 billion.
Hence, a $23 million fine won't have a major financial impact on Google. But the penalty does serve notice that EU privacy watchdogs are reviewing technology companies' data collection and usage practices, and that if they don't like what they find, organizations might face profit-impacting sanctions.
"If GDPR is actually going to be enforced like this going forward, and it's not just a one-off French expedition, the entire business model of Google and Facebook as it pertains to using personal information for ad targeting is in doubt," tweets David Heinemeier Hansson, the creator of Ruby on Rails and founder of Basecamp. "About bloody time."
If GDPR is actually going to be enforce like this going forward, and it's not just a one-off French expedition, the entire business model of Google and Facebook as it pertains to using personal information for ad targeting is in doubt. ABOUT BLOODY TIME!— DHH (@dhh) January 21, 2019
Other European complaints filed against Google under GDPR remain pending. Consumer organizations in seven countries filed complaints in November 2018 over how Google obtains permission to collect the location of users, as well as their browsing data and interactions with mobile apps (see: Google Faces GDPR Complaints Over Web, Location Tracking).
Google: We're Committed to GDPR
CNIL's action comes from its investigation of complaints filed by two privacy-focused advocacy groups: None of Your Business and La Quadrature du Net. NOYB filed its complaint on May 25, 2018 - the day GDPR went into effect - and LQDN filing its complaint three days later.
Max Schrems, an Austrian lawyer who is chairman of NOYB, hailed CNIL's decision. Schrems has been an influential data privacy activist, and it was his legal complaint involving Facebook that eventually led to the invalidation of the Safe Harbor agreement in 2015 by the European Court of Justice (see Europe's New Privacy Shield: Will It Hold?).
"We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law," Schrems says. "Following the introduction of GDPR, we have found that large corporations such as Google simply 'interpret the law differently' and have often only superficially adapted their products."
As the deadline for GDPR approached, Google had sought to deflect potential regulatory action by maintaining that its data processing systems were transparently described to consumers as well as by revamping some of its privacy controls.
"We offer transparency to users through clear explanations of how we use personal data and our 'Why This Ad' program, while giving people controls to manage their privacy through My Account and My Activity," wrote William Malcolm, director of privacy and legal in Europe for Google, in an August 2017 blog post.
Data Processing: Unclear
But CNIL concluded that Google violated two aspects of GDPR, based on the regulator's examination of the account creation steps in place on an Android phone.
First, the agency alleges that Google does not transparently communicate the scope of data processing used for targeted advertisements. "Users are not able to fully understand the extent of the processing operations carried out by Google," CNIL says.
Second, CNIL says Google left consumers uninformed about how their personal data would be used, in violation of GDPR's requirement to ensure that consent from customers is specific and unambiguous.
The French regulatory agency criticized the documentation and advice that Google shows users as "too generic and vague," giving users little insight into the "particularly massive and intrusive" data processing systems that are used for ad personalization.
The regulator also found that the "general structure" for how Google presents those controls violates GDPR. For example, users must take five or six actions to get to the relevant information. "Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information," CNIL says.
CNIL also contended that Google doesn't obtain proper consent for ad personalization. Google, it alleges, doesn't concisely explain that ad personalization will run across services such as Google Play, Maps, YouTube and its search engine. Rather, Google's documentation is "diluted" and doesn't meet GDPR requirements that consent be obtained in a specific and unambiguous manner, it alleges.
The regulator also took issue with Google's default settings when an individual creates an account, which automatically pre-select a box that allows for ad personalization. Under GDPR, consent is supposed to be unambiguous, in the sense that a user must take a purposeful action to select - or opt in - to such settings.
Google's pre-checked box is a "clear violation of GDPR," says Kevin Curran, a cybersecurity professor at Ulster University in Northern Ireland. Under GDPR, he adds, user consent "also must be a positive opt-in and consent can never be inferred from silence or nefarious activities such as pre-ticked boxes or inactivity."
CNIL's fine against Google puts on notice any firm that collects or processes Europeans' personal data. "Despite numerous statements by Google that it takes the protection of people's data seriously, the decision demonstrates that they have a long way to go and that regulators will take action to hold companies that fail to comply with GDPR to account," says Ailidh Callander, legal officer for London-based civil rights group Privacy International.
"That the decision comes in response to complaints by NOYB and LQDN (representing 10,000 people) also demonstrates the importance of the role of civil society in raising these issues," she adds.
GDPR: Influencing the United States
Although GDPR only safeguards Europeans' personal data, its impact is being felt worldwide. Technology giants such as Microsoft and Facebook have said they will apply GDPR's principles worldwide. Many believe that the privacy law, over time, will cause privacy and data regulations around the world to offer greater protections.
Some countries have farther to go than others. The United States, for example, still lacks a federal privacy law that applies to consumers. But GDPR, combined with the unending pace of massive data breaches spilling consumer data, as well as ongoing privacy scandals, has been fueling legislative interest in data privacy and security.
Last week, Sen. Marco Rubio, R-Florida, introduced the American Data Dissemination Act, saying it could provide consumers with basic data privacy rights and increased transparency about how their personal data gets collected and used. The legislation would be modeled after the Privacy Act of 1974, which governs the handling and release of personal records but now only applies to federal agencies.
"Your data is incredibly valuable, and for the most part, it is not even yours," Rubio writes in an op-ed in The Hill. "But use of your personal data is governed by antiquated laws that do not work in the modern economy."
Under Rubio's plan, the Federal Trade Commission would give privacy recommendations to Congress six months after the law went into effect. If Congress failed to act on those recommendations within two years, the FTC could put into effect its own rules, based on the Privacy Act framework, Rubio writes.
Executive Editor Mathew Schwartz contributed to this report.