Home Privacy France Slaps Google With 50 Million Euro Fine – Largest Yet Under GDPR

France Slaps Google With 50 Million Euro Fine – Largest Yet Under GDPR

SHARE:

France’s data protection authority issued a 50 million euro fine against Google on Monday for failing to comply with the General Data Protection Regulation.

Not only was Google found not to have the proper consents in place from its users to collect and process data for personalization and ad targeting, it may not even have a legal basis to do so at all since users are so ill informed about what Google wants to do with their data.

Google relies on consent to process user data for personalization purposes.

According to the CNIL (the Commission nationale de l’informatique et des libertés), Google’s process for obtaining consent isn’t transparent or specific enough and doesn’t give users the information they need to make an informed decision. [Click here to read the English translation of the CNIL’s sanction.]

The CNIL also claims that Google’s approach to data collection is “particularly massive and intrusive” because it doesn’t gather consent for ad personalization for each of Google’s different services separately, including Search, YouTube, Google Home, Google Maps, the Play Store, Google Photo and others.

In other words, Google was found to have committed a cardinal sin under GDPR, which states that a company must obtain consent for each specific way it wants to use personal data. Google also pre-checks boxes by default during the consent gathering process, which is another major GDPR no-no.

The CNIL’s ruling follows a series of complaints filed by two nonprofit groups, La Quadrature du Net and None Of Your Business (NOYB), both of which accused Google of not having a legal basis for processing the personal data of its users.

None Of Your Business is led by Max Schrems, the Austrian lawyer and privacy campaigner responsible for bringing the 2013 legal challenge against Facebook’s international data-sharing practices that ultimately overturned the Safe Harbor agreement.

On May 25, 2018, the day GDPR went into effect in Europe, Schrems and None Of Your Business filed a class action lawsuit against Google for “coercing” its users into giving consent for data collection, which is what the CNIL is now reacting to. Schrems also filed suits against Facebook, Instagram and WhatsApp that day, so another shoe may yet drop impacting Google’s co-duopolist.

The NOYB suits were filed in France, Austria, Belgium and Hamburg, Germany – all jurisdictions with active data protection authorities.

“These places were not chosen arbitrarily or by accident,” noted Dominique Shelton, co-chair of the ad tech privacy and data management practice at Perkins Coie, in a previous interview.

Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

Until now, the CNIL had focused most of its attentions on the little guys, using public enforcement actions to make an example of smaller companies. These companies, mainly French ad tech startups focused on the location data space, were given time to mend their ways rather than being hit with a fine right off the bat.

The CNIL’s action against Google could be “a symbolic message sent to show that not only small companies are targeted by the CNIL – even if 50 million euros is probably only 15 days’ worth of Google France’s revenue,” a French ad tech executive told AdExchanger.

Monday’s fine against Google, which translates to roughly $57 million, is the largest GDPR-related penalty to date and the first time either Google or Facebook is being called to task for running afoul of Europe’s new privacy laws. But it is also chump change for Google, whose ads business brings in billions every quarter.

However, the ruling is portentous for how European regulators feel about the duopoly: wary of large, US-based technology companies and more than willing to crack down.

In July of last year, the European Union hit Google with a $5.1 billion fine for breaking antitrust laws for striking deals with phone manufacturers to favor its Android operating system.

Must Read

AppsFlyer and Roku’s New SRN Integration Will Shed Light On CTV Campaign Impact

Roku and AppsFlyer announced the launch of a new self-reporting network (SRN) integration between both companies, which will allow mobile app advertisers to more effectively measure their streaming video campaigns

Comic: Gamechanger (Google lost the DOJ's search antitrust case)

DOJ v. Google: How Judge Brinkema Seems To Be Thinking After Week One

Where the DOJ v. Google ad tech antitrust trial stands after one week’s worth of remedies arguments.

Swish, A Company That's Bringing Programmatic to Product Sampling, Announces Seed Funding

Swish, a startup that partners with retailers to provide product full-size CPG samples to people doing their grocery shopping online, announces $2.3 million in seed funding.

Privacy! Commerce! Connected TV! Read all about it. Subscribe to AdExchanger Newsletters

DOJ v. Google: During Opening Arguments, The DOJ And Google Battle Over An AdX Divestiture

Court is back in session. And the fate of  the open internet is in the balance.

Chris Mufarrige, director, Bureau of Consumer Protection, FTC

FTC Consumer Protection Chief: No Easy Answers On Privacy, ‘Only Trade-Offs’

Privacy isn’t black-and-white, says the FTC’s Chris Mufarrige, promising evidence-driven consumer protection cases under the Trump administration.

How Encryption Keys Could Resolve The TID Furor

Rather than sharing universal TIDs that any DSP or curator can access, Raptive says publishers should instead share encrypted TIDs with an encryption key provided only to trusted demand-side partners.