Google has been fined €50 million (£44 million) by French regulator CNIL after it was found to have misused the data of users when delivering personalised ads.
It is one of the first big fines to be levied under the terms of the EU’s General Data Protection Regulation (GDPR), which came into force last year and spells out new, tougher requirements for how companies may use the personal data of their customers, as well as beefing up the penalties for failures.
The French regulator ruled that Google failed to comply with GDPR legislation by making it too difficult for users to find essential information about their data, while some details were found to be unclear or incomplete.
“Users are not able to fully understand the extent of the processing operations carried out by Google,” the CNIL said in a statement. “The processing operations are particularly massive and intrusive because of the number of services offered (about 20), the amount and the nature of the data processed and combined.”
This meant that users were unable to give valid, informed consent for their data to be used to deliver personalised advertising. It followed a complaint from privacy advocacy groups None Of Your Business (NOYB) and La Quadrature du Net.
While the fine is not the first to be handed out since GDPR went into effect in May 2018, it is by far the biggest, and some experts have suggested that it could be a sign of things to come under the new regime. It may signal that regulators in the EU will not be afraid to use the full powers of the GDPR to issue huge fines for any privacy failings.
Dr Lukasz Olejnik, an independent privacy researcher and adviser, told the Guardian: “This is a milestone in privacy enforcement, and the history of privacy. The whole European Union should welcome the fine. It loudly announced the advent of [the] GDPR decade.”
It may also be far from the last time the world’s biggest tech businesses face enforcement action under GDPR. Last week, NOYB also filed complaints against a number of firms, including Amazon, Netflix, Spotify and Apple, claiming they have broken GDPR rules regarding people’s rights to request a copy of all the data companies possess about them.