Google has been fined €50 million (£44 million) by French regulator CNIL after it was found to have misused the data of users when delivering personalised ads.
It is one of the first big fines to be levied under the terms of the EU’s General Data Protection Regulation (GDPR), which came into force last year and spells out new, tougher requirements for how companies may use the personal data of their customers, as well as beefing up the penalties for failures.
The French regulator ruled that Google failed to comply with GDPR legislation by making it too difficult for users to find essential information about their data, while some details were found to be unclear or incomplete.
“Users are not able to fully understand the extent of the processing operations carried out by Google,” the CNIL said in a statement. “The processing operations are particularly massive and intrusive because of the number of services offered (about 20), the amount and the nature of the data processed and combined.”
This meant that users were unable to give valid, informed consent for their data to be used to deliver personalised advertising. It followed a complaint from privacy advocacy groups None Of Your Business (NOYB) and La Quadrature du Net.
While the fine is not the first to be handed out since GDPR went into effect in May 2018, it is by far the biggest, and some experts have suggested that it could be a sign of things to come under the new regime. It may signal that regulators in the EU will not be afraid to use the full powers of the GDPR to issue huge fines for any privacy failings.
Dr Lukasz Olejnik, an independent privacy researcher and adviser, told the Guardian: “This is a milestone in privacy enforcement, and the history of privacy. The whole European Union should welcome the fine. It loudly announced the advent of [the] GDPR decade.”
It may also be far from the last time the world’s biggest tech businesses face enforcement action under GDPR. Last week, NOYB also filed complaints against a number of firms, including Amazon, Netflix, Spotify and Apple, claiming they have broken GDPR rules regarding people’s rights to request a copy of all the data companies possess about them.
Share This Post, Choose Your Platform!
With over 20 years in the business telecoms industry and an unrivalled reputation of delivering excellent, personal customer service, Arrow is one of very few companies in the UK able to provide a full telecoms, IT and energy consultancy and service proposition.
Savings through automation, scale, improved service. We’ve got that covered. But the true value comes with empathy, through empowerment, collaboration. It’s connecting people that drives us forward. It’s people that make tomorrow happen.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.