France’s National Data Protection Commission (CNIL) has fined Google $57 million (€50 million) for violations of the General Data Protection Regulation (GDPR) – the largest fine yet issued under the EU’s new data privacy law.
In investigating group complaints from privacy advocacy groups None Of Your Business and La Quadrature du Net (the latter representing 10,000 citizens), CNIL found Google lacking in transparency when it comes to how it collects and handles user data in the name of serving up personalized ads.
“Despite the measures implemented by Google (documentation and configuration tools), the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life, since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations,” CNIL said in a Monday statement.
The regulator also noted the scope of the violations’ impact.
“The violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement,” it said, adding, “taking into account the important place that the operating system Android has on the French market, thousands of French people create, every day, a Google account when using their smartphone.”
Under the GDPR, consent must be obtained before any data is collected, let alone kept or used for follow-on purposes, such as targeted advertising. This means information gleaned from websites, account registrations, social media, advertising and marketing efforts, newsletters and list rentals, data brokerages, public sources of information and more.
This profoundly changes the way an American company, such as Google’s subsidiary DoubleClick, profiles and targets ads to internet users in the E.U.
In this case, the French regulator determined that information from Google about how data is collected, collated and used across as many as 20 different Google services is relatively obscured. The internet giant, according to CNIL, breaks up the information across several documents, so that the full extent of Google’s data processing practices can only be uncovered by going down a rabbit hole of several links.
“The relevant information is accessible after several steps only, implying sometimes up to five or six actions,” CNIL said on Monday in its statement. “For instance, this is the case when a user wants to have complete information on his or her data collected for the personalization purposes or for the geo-tracking service.”
Further, even after accessing the pertinent information, the documents lack detail in terms of exactly where and how user data is utilized for advertising purposes, according to CNIL.
“The [data] processing operations are particularly massive and intrusive because of the number of services offered (about 20), [and] the amount and the nature of the data [being] processed and combined,” the regulator explained. Google’s practices are “described in a too generic and vague manner, and so are the categories of data processed for these various purposes.”
As such, CNIL determined that Google doesn’t obtain valid consent from users to use their data for ad personalization – explicit consent being a key requirement of the GDPR.
“The users’ consent is not sufficiently informed…[because the information] is diluted in several documents and does not enable the user to be aware of their extent,” the authority noted. Thus, “the collected consent is neither ‘specific’ nor ‘unambiguous.'”
CNIL added that even though users can modify their account options to opt out of seeing personalized ads, the option to see them is pre-ticked, meaning there is no “clear affirmative action from the user (by ticking a non-pre-ticked box for instance)” to receive the ads.
GDPR Enforcement Ramps Up
The Google fine is far and away the largest penalty issued since the GDPR went into effect last May. However, it could have been much larger: GDPR violations can incur fines of up to 4 percent of global turnover.
While the GDPR is a European regulation, it affects any organization that handles data on E.U. citizens, whether they be customers or partners – including American companies. That means any entity in the U.S. is subject to enforcement actions, such as fines, if they do business with any E.U. citizen. In other words, it’s an E.U. law, but has global applicability.
Enforcement actions have been slow to roll out, largely because it takes time to build a consensus on how to determine compliance. The GDPR contains a series of articles that lay out a complex set of requirements for those handling E.U. citizen data. Yet, in terms of what compliance actually looks like in the real world, there are several areas of uncertainty that will only play out and become clarified over time.
Google is the largest fish to be caught in the GDPR net to date, but it surely won’t be the last. Over the course of the fall, Data Protection Authorities (DPAs) in various countries began leaping into the enforcement fray – a state of affairs that’s unlikely to wane anytime soon.
Some of the actions have not carried fines: The U.K.’s Information Commissioner’s Office (ICO) for instance in October found that Canada-based AggregateIQ Data Services used personal data—including names and email addresses—of U.K. individuals to target them with political advertising messages on social media without their consent. The ICO ordered AggregateIQ to erase any personal data of U.K. individuals retained on its servers.
Similarly, in France, CNIL recently found that a mobile marketing and ad tech agency, Vectuary, illegally obtained the consent of more than 67 million people to collect their data. It was also ordered to purge all personal data for the affected individuals.
On the financial penalty front, in September Austria’s Osterreichische Datenschutzbehorde fined a retailer €4,800 for using a surveillance camera that recorded passersby without their consent. Also, Portugal’s Comissao Nacional de Proteccao de Dados fined a hospital, Barreiro Montijo, €400,000 for not restricting employee access to patient data.
Most recently, Germany’s State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg fined a German social-media company and maker of the flirting app “Knuddels” €20,000 in November after a data breach. It came to light that the service was storing user passwords in plain text, without pseudonymizing and encrypting personal data as required by the GDPR.