Google fined $57m by French regulator for breaching GDPR
French data protection authority CNIL has slapped a €50 million ($57 million) on Google for failing to meet requirements under the General Data Protection Regulation.
The regulator hit Google on two points: for making it difficult for users to see the detail on why and how they should give consent in order to be sent personalized ads, and for providing a pre-ticked option when requesting consent.
CNIL has decided that essential information such as data processing purposes, the data storage periods or the categories of personal data used for sending personalized ads are “excessively disseminated” across several documents. This means users can only view the details after clicking through several pages.
The fine is unlikely to cause tremors at Google, whose parent company Alphabet produced $33.6 billion in revenue in the last quarter it reported. Still, it is the first substantial financial penalty to hit a major company for breaching GDPR, and is the first financial penalty issued by CNIL. The only other financial penalty has been issued in Germany against an unnamed social media company.
So far it is CNIL that has been by far the strictest of the DPAs when it comes to warning companies, having scrutinized several mobile location vendors already.
The action could signal what regulators will look for in taking action when many companies are likely in breach of the letter of the regulation. There are several examples of catch-all consent features currently being used. Previously publisher sources have expressed doubt in the authenticity of their consent opt-in rates because they’re counting things like user movement on the page as consent, or users clicking through on articles.
“This historic first fine should serve as a wake-up call to publishers and tech companies alike that GDPR is real and it is here,” said Matt O’Neill, general manager at The Media Trust. “It is crucial that now, more than ever before, media owners have a clear picture of everyone dropping code on their sites and on their users’ devices. The market has been waiting for this moment.”
Under GDPR, regulators want to be satisfied that users are informed why they need to give consent before deciding whether to. That means an individual has to make a clear affirmative action to show they’re giving consent, classed as “unambiguous” under GDPR, and which means no pre-ticked boxes. Currently, Google’s version is a pre-ticked box and for multiple operating purposes, according to CNIL.
The final point is that Google has bundled its services and asked users to agree to give consent for all. The regulator has stressed that under GDPR consent must be given for each purpose the company plans to use the data for, so has said this doesn’t meet the criteria of “specific” consent required.
“People expect high standards of transparency and control from us,” said a Google spokesperson. “We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. “We’re studying the decision to determine our next steps.”
Google has been under a steady stream of fire from European regulators for a variety of reasons ranging from antitrust competition to copyright infringement for years. The fine may be pocket change for the company, but it marks the largest fine to be dished out to a company for GDPR to date. Eyes will now be on Facebook, which has also had similar fines levied against it by privacy activists. So far, Facebook has been issued a higher fine by the U.K. regulator ICO for its part in the Cambridge Analytica data breach, but the timing of the fine meant it fell under the old data protection law and was, therefore, a smaller fine, albeit to the tune of £500,000 ($661,000).
Typically, data protection authorities take the lead on companies which have their headquarters within the same country. Google’s European headquarters is in Ireland, which makes the Irish DPA Google’s lead GDPR investigator. However, CNIL maintained it was within its rights to investigate due to the time the complaints were logged last June.
“The violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement,” read the CNIL statement.
Others have been heartened by the result. “For nearly a year, Google has been attempting to undermine the GDPR using PR spin, creative legal regimes and its dominant market position all in an attempt to preserve its vast data collection empire,” said Jason Kint, CEO of U.S. publisher trade body Digital Content Next. “It’s heartening to see the EU stand up to Google’s defiance of the law and demand greater protections for consumers.”
Google is still looking at the verdict and hasn’t announced it will be making an appeal. However, some believe that’s a natural next step. “It would be naive not to expect one,” said Phil Lee, partner at European privacy firm Fieldfisher. So far, it all raises more questions than answers. “Longer term, there is a query over what impact this will have on the future of tech, data collection and ad personalization — is this the beginning of the revolution, or will fines simply be seen as a cost of doing business?”
As of 22 Jan. the Irish DPA will be the lead supervisory authority for Google’s European services.
Read the full verdict here.
With billionaire backers, Time is still in expansion mode
Several publishers, including BuzzFeed, Group Nine Media and Vice, recently announced pay cuts and benefit reductions to their staffs. Time CEO Edward Felsenthal, on the other hand, not only pledged to his staff of 275 that the company wouldn’t have any layoffs for 90 days — and the company would continue growing through new hires […]
‘We’re all making it up as we go along’: Dazed CEO Jefferson Hack on what comes next for media
Anyone sitting back seeing how it plays out is part of the problem rather than the solution. I only want to work with people who are part of the solution.
Member ExclusiveFountain of youth: Meet 7 young founders transforming media
Media isn’t for the faint of heart, especially these days. But don’t tell that to these seven young founders.
SponsoredAs cookies vanish, publishers are using new authentication strategies
Up to 40 percent of browser inventory is already cookieless, giving publishers, marketers and their technology partners an opportunity to build a new and better digital ecosystem.
‘Opening the paywall is not an option’: Schibsted sees subscriptions mini-boom
The Nordic publisher sold twice as many subscriptions the past two weeks compared to the period's previous two weeks.
‘Everyone feels the pain’: Major digital publishers enact pay and benefits cuts to stanch the bleeding
Several publishers have begun announcing their pay cuts and furlough plans as ad revenue continues drying up. Seeing patterns from previous recessions, former media execs explain why these cost controls are only temporary fixes.