The French data protection watchdog CNIL has issued its first fine of €50 million (around $57 million) under the European Union’s new General Data Protection Regulation (GDPR) law that came into force in May last year.
The fine has been levied on Google for “lack of transparency, inadequate information and lack of valid consent regarding the ads personalisation,” the CNIL (National Data Protection Commission) said in a press release issued today.
The fine was imposed following the latest CNIL investigation into Google after receiving complaints against the company in May 2018 by two non-profit organisations—None Of Your Business (NOYB) and La Quadrature du Net (LQDN).
Why Has Google Been Fined?
According to the CNIL, Google has been found violating two core privacy rules of the GDPR—Transparency, and Consent.
First, the search engine giant makes it too difficult for users to find essential information, like the “data-processing purposes, the data storage periods or the categories of personal data used for the ads personalisation,” by excessively disseminating them across several documents with buttons and links and requiring up to 6 separate actions to get to the information.
And even when the users find the information they are looking for, the CNIL says that information is “not always clear nor comprehensive.”
“Users are not able to fully understand the extent of the processing operations carried out by Google,” the Commission says. “Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalisation is the consent and not the legitimate interest of the company.”
Secondly, Google does not obtain its user’s valid consent to process data for ads personalisation purposes.
images from Hacker News