Google received a hefty fine of $57 million (€50 million) on 21 January 2019 from the French National Data Protection Commission (CNIL) for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”.
Fines from the French regulator aren’t a new thing for Google, but under the old regime fines rarely exceeded €150,000. The regulator levied the record fine saying that it was “justified by the severity of the infringements observed regarding the essential principles”. This is the first GDPR fine against a US company after it came into effect.
Complaints against Google were filed in May 2018 by two privacy rights groups noyb (the brain child of Max Schrems) and La Quadrature du Net (LQDN). The first complaint was filed on the day GDPR went into effect and the groups claimed that the tech giant did not have a valid legal basis to process user data for ad personalisation under the new regulation.
In a published statement, CNIL says that people were “not sufficiently informed” about the way Google collects data to personalise ads and also that they had not obtained clear consent to process data. Essential information was apparently spread out throughout several documents and thus users were not able to fully comprehend the extent of the processing operations carried out by Google.
A spokesperson for Google claimed that the company is “deeply committed” to meeting the “high standards of transparency and control” that people expect of it. They said that the company was taking into account CNIL’s decision in order to decide their next steps.