Google Fined $57 Million For Privacy Breach

The French data protection watchdog CNIL has fined Alphabet’s Google 50 million euros ($57 million)under GDPR. General Data Protection Regulation (GDPR) is a new law of European Union’s came into force in May last year.

The CNIL (National Data Protection Commission) said in a press release that, the fine has been levied on Google for “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization”.

The EU’s General Data Protection Regulation (GDPR), maybe the biggest shake-up of data privacy laws in more than two decades. It allows users to better control their personal data and gives regulators the power to impose fines of up to 4 percent of global revenue for violations.

According to the CNIL, Google has been found violating two core privacy rules of the GDPR—Transparency, and Consent.

First, the search engine giant makes it too difficult for users to find essential information, like the “data-processing purposes, the data storage periods or the categories of personal data used for the ads personalisation,” by excessively disseminating them across several documents with buttons and links and requiring up to 6 separate actions to get to the information.

And even when the users find the information they are looking for, the CNIL says that information is “not always clear nor comprehensive.”

“Users are not able to fully understand the extent of the processing operations carried out by Google,” the Commission says. “Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent and not the legitimate interest of the company.”

Secondly, Google does not obtain the user’s valid consent to process data for its ads personalization purposes.

According to the CNIL, the option to personalize ads is “pre-ticked” when creating an account with Google. It makes the users unable to exercise their right to opt out of data processing for ads personalization, which is illegal according to the GDPR.

Finally, the CNIL says Google by default ticks the boxes that say “I agree to Google’s Terms of Service” and that “I agree to the processing of my information as described above and further explained in the Privacy Policy” when users create an account.

The Commission says, “The user gives his or her consent in full, for all the processing operations purposes carried out by Google based on this consent (ads personalization, speech recognition, etc.)”.

The EU also hit Google with another antitrust penalty of $2.7 billion (2.4 billion euros) in 2017 for shopping-search results in Google Search.

In response to the GDPR fine imposed by France, Google said in a statement: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.