There was much discussion surrounding the new privacy rules, the General Data Protection Regulation (GDPR), governing Europe that were enacted last year. The first company to be fined under the new rules is the behemoth Google. Privacy regulators in France fined them $56.8 million for using the private data of users, without proper consent, to create personalized ads, and by adding privacy disclosures deep within text.
Google’s GDPR Punishment
CNIL, France’s privacy watchdog, reported in a statement that Google was fined for needlessly obscuring information regarding how it processed user data. This goes again the new privacy rules’ demand that information should be more easily accessible.
Essential information with regards to how user data is processed, stored, and used was “excessively disseminated across several documents,” according to the statement. Google’s information, including how they gather personal information to help determine user location, sometimes required up to five or six steps to reach it.
The statement added that some of the information “is not always clear nor comprehensive.”
Google maintains that they get a user’s consent before using their data to personalize ads, but the French commission found that the company’s process for informing users as to what they’re consenting to was inadequate.
Users of Google are “not sufficiently informed,” read the statement, and Google’s language was found to be “vague” and its violations to be “continuous.”
“The processing operations are particularly massive and intrusive because of the number of services offered (about twenty) and the amount and the nature of the data processed and combined.” Additionally, it was noted that the “information about the retention period is not provided for some data.”
It was reported that CNIL’s judgement came after complaints filed by two advocacy groups in May.
“We have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products,” said Austrian privacy activist Max Schrems.
“It is important that the authorities make it clear that simply claiming to be compliant is not enough.”
In response, Google said it was “studying the decision” in order to determine its next steps. ‘People expect high standards of transparency and control from us,” they continued, while adding that they remain “deeply committed to meeting those expectations and the consent requirements of the GDPR.”
What do you think of Google’s fine for violating the GDPR? Do you feel it was just or unreasonably targeted? Leave your thoughts regarding Google violating the GDPR and their punishment in the comments below.