The outside of the Google offices in New York. (Mike Segar/Reuters)
By Tony Romm
January 21 at 10:30 AM
Google has been fined nearly $57 million by French regulators for
violating Europe’s tough new data-privacy rules, marking the first major
penalty brought against a U.S. technology giant since the region-wide
regulations took effect last year.
France’s top data-privacy agency, known as the CNIL, said Monday that
Google failed to fully disclose to users how their personal information is
collected and what happens to it. Google also did not properly obtain
users’ consent for the purpose of showing them personalized ads, the
watchdog agency said.
French regulators said Google’s business practices had run afoul of
Europe’s new General Data Protection Regulation. Implemented in 2018, the
sweeping privacy rules commonly referred to as GDPR have set a global
standard that has forced Google and its tech peers in Silicon Valley to
rethink their data-collection practices or risk sky-high fines. The United
States lacks a similar, overarching federal consumer privacy law, a
deficiency in the eyes of privacy hawks that has elevated Europe as the
world’s de facto privacy cop.
Despite Google’s changes to its business practices, the CNIL said in a
statement that “the infringements observed deprive the users of essential
guarantees regarding processing operations that can reveal important parts
of their private life since they are based on a huge amount of data, a
wide variety of services and almost unlimited possible combinations.”
In response, Google said it is “studying the decision to determine our
next steps,” adding: “People expect high standards of transparency and
control from us. We’re deeply committed to meeting those expectations and
the consent requirements of the GDPR. “
French regulators began investigating Google on May 25 — the day GDPR
went into effect — in response to concerns raised by two groups of
privacy activists. They filed additional privacy complaints against
Facebook and its subsidiaries, photo-sharing app Instagram and messenger
service WhatsApp, in other EU countries.
“We are very pleased that for the first time a European data protection
authority is using the possibilities of GDPR to punish clear violations of
the law,” said Max Schrems, the leader of the nonprofit noyb.eu (None of
Your Business). “It is important that the authorities make it clear that
simply claiming to be complaint is not enough.”
Under Europe’s data privacy law, tech giants including Google must give
users a full, clear picture of the data they collect, along with simple,
specific tools for users to consent to having their personal information
harnessed. In both cases, France said that Google had erred.
Full details about what Google does with users’ personal information are
“excessively disseminated across several documents,” according to the
CNIL. The lack of transparency is even more jarring to users, the watchdog
said, because of the sheer volume of services Google operates — including
its maps service, YouTube and app store.
Even though Google users can modify their privacy settings when they
create an account, French regulators said it still isn’t enough — partly
because the default setting is for Google to display personalized ads to
users. Meanwhile, Google requires people who sign up to agree to its terms
and conditions in full in order to create their accounts, a form of
consent that the CNIL faulted because it requires users to agree to
everything — or not use the service at all.
For Google, its fine in France marks only its latest headache in Europe.
Regulators throughout the region repeatedly have investigated the search
giant for its privacy practices, while EU watchdogs have scrutinized
Google on antitrust grounds. In 2018, Google faced a much larger, record
$5 billion fine for stifling competitors on Android, its smartphone
kictanet mailing list