GOOGLE HAS BEEN WHACKED with €50m (£44m) fine in France for breaking the GDPR’s rules around transparency.
The complaints alleged that Google failed to have “a valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purposes” when setting up an account from an Android device.
Further, Schrems accused Google of securing “forced consent” through the use of pop-up boxes on the web and its apps which imply that its services will not be available unless people accept its conditions of use.
Following its probe of the company, CNIL on Monday concluded that users were “not sufficiently informed” about how Google collected data to personalise advertising and had failed to obtain a valid legal basis to process user data.
“Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information,” the regulator wrote.
CNIL also calls out Google’s sign-up process, which sees the firm pushing users to sign up for a Google account when setting up a device – a move that’s illegal under the GDPR’s content bundling rules. Moreover, the watchdog notes that the choice of ads personalisation is a pre-ticked box, another no-go under GDPR.
“We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law,” Schrems said in a statement.
“Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”
Google said in a statement, likely breathing a sigh of relief that the fine wasn’t higher: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.” µ