
French regulators Monday fined Google $57 million for breaching Europe's aggressive new data-privacy regulations, marking the first major penalty since GDPR took effect last year.
The country's data protection watchdog, known as the CNIL, said that Google lacked transparency and clarity around how personal information is collected and what happens to it. Google was also accused by French regulators of failing to properly obtain user consent for personalized ads.
"The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent," the CNIL said in a statement.
[Related: 10 Security Experts On The Biggest Danger Businesses Face From GDPR]
Google, meanwhile, said it is studying the CNIL's decision to determine the company's next steps.
"People expect high standards of transparency and control from us," Google said in a statement. "We're deeply committed to meeting those expectations and the consent requirements of the GDPR."
The CNIL began investigating Google on May 25 – the day GDPR went into effect – in response to complaints by two non-governmental organizations, None Of Your Business (NOYB) and La Quadrature du Net (LQDN). LQDN had been mandated by 10,000 people to present the case to the CNIL.
Under the European Union's General Data Protection Regulation (GDPR) rules, tech companies must give users a clear picture of the data they collect, along with simple tools users can rely on to consent to having their data collected. Google has failed on both of those counts, according to the CNIL.
"Essential information … [is] excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information," the CNIL said in its statement. "The relevant information is accessible after several steps only, implying sometimes up to five or six actions."
The lack of visibility is even more problematic for users, according to the CNIL, since Google operates a broad array of services from its app store, to its map service, to YouTube. Even though Google users can adjust their privacy settings when they start an account, the CNIL said that isn't enough since the default setting is for Google to display personalized ads to customers.
At the same time, Google mandates that prospective customers agree to its terms and conditions in full before creating an account. GDPR, however, indicates that specific consent must be given distinctly for each separate purpose.
The CNIL is known for its stringent interpretation of privacy rules and a willingness to punish U.S.-based tech companies for their errors. Across Europe, punishments have in recent years been doled out to Apple for its tax practices, Facebook for multiple privacy issues, and Google for charges that it sought to undermine its corporate rivals.
The United States lacks a broad, holistic consumer privacy law similar to GDPR, making Europe the world's most stringent protector of consumer privacy. Consumer advocates in the United States have urged America to follow the example set by the Europeans.
related stories
trending stories
Video
sponsored resources

NetApp
NetApp Data Driven Learning Center

Vertiv
Edge Computing 360

Best of Breed Showcase

Annual Report Card Showcase

NexGen Showcase

Cloud PPG Showcase

100 People You Should Know Showcase

APC by Schneider Electric
IoT Platforms 360

Silver Peak
Silver Peak Learning Center

Veeam
Veeam

NPD
Industry Trends 360

Comcast
Comcast Business Learning Center

AT&T Cybersecurity
Cloud Security 360

ConnectWise
ConnectWise

Symantec
Symantec Business Security Learning Center

HP Inc.
HP Toner and Ink

RSA
RSA

Micro Focus
Enterprise Application Software 360

Carbonite
Cloud Storage 360

Eaton
Eaton Learning Center

BlackBerry Cylance
BlackBerry Cylance Learning Center

Storagecraft
Disaster Recovery Learning Center

Lenovo
Lenovo Learning Center

ID Agent
Managed Security 360

Wasabi
Wasabi

Sophos
Sophos Cybersecurity Learning Center

Scale Computing
Scale Computing Learning Center

SonicWall
Network Security 360

Cohesity
Cohesity Learning Center

Dell EMC
Software-defined Data Center 360
