The first massive European Union’s General Data Protection Regulation (GDPR) fine has finally been enforced. Google is the recipient of a €50m (approx. $56.8 million USD) fine from the French data protection authority, CNIL.
The fine follows complaints from privacy activists in late May last year. Max Schrems and his None Of Your Business (NOYB) non-profit had been first off the blocks, complaining against Google and Facebook minutes after the GDPR took effect on May 25th. The French digital rights group La Quadrature du Net also lodged a complaint about Google a few days later.
CNIL said that the fine was issued because Google failed to provide enough information to users about its data consent policies and didn’t give them enough control over how their information is used. According to the regulator, these violations are yet to have been rectified by the search giant. Under GDPR, companies are required to gain the user’s “genuine consent” before collecting their information, which means making consent an explicitly opt-in process that’s easy for people to withdraw.
“We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law,” said Schrems in a statement.
“Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough,” he said.
Responding to the fine, a Google spokesperson said that the company is “deeply committed” to meeting the “high standards of transparency and control” that people expect of it. They said that the company was studying CNIL’s decision in order to determine its next steps. In a later statement, Google announced that it planned to appeal the fine, noting that it was “concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond,” via AFP.
Separately, Google has also been accused of GDPR privacy violations by consumer groups across seven European countries over what they claim are “deceptive practices” around its location tracking.