Google has been handed a €50 million (AU$79 million) fine from the French data protection watchdog for failing to comply with GDPR.
The French watchdog CNIL said the tech giant had a “lack of transparency, unsatisfactory information and lack of valid consent for the personalisation of advertisement”.
CNIL noted the information provided by Google is not easily accessible for users.
It explained, “Essential information, such as the purpose for which the data is processed, the length of time the data is stored, or the categories of data used to personalise the advertisement, are excessively scattered throughout several documents”.
The French watchdog said there was a lack of valid consent for personalised ads for two reasons, firstly users are not sufficiently informed about which Google sites are using their data like Google Photos, YouTube etc.
Secondly, it states consent obtained is not specific and unambiguous. When signing up, users have the option to change parameters associated with account by clicking the more options button.
The option to opt out of personalised ads has to be accessed through a “more options” link which is pre-ticked by default, it shouldn’t be.
A spokesperson for Google told The Verge, the company is “deeply committed” to meeting the “high standards of transparency and control” that people expect of it. Google said the company was studying CNIL’s decision in order to determine its next steps.
These violations are yet to be fixed by Google.
Last May None Of Your Business (NOYB) and La Quadrature du Net (LQDN) filed separate lawsuits against Google and Facebook claiming they are coercing users into sharing their data.
This is the biggest fine handed out for breaching GDPR rules so far however GDPR regulations allows a company to be fined a maximum of four per cent of its annual global turnover for more serious offence.
Last November several consumer groups filed a complaint against the company claiming it had breached GDPR in relation to how the company tracks its users’ location.
Ryan Kalember, SVP at Proofpoint Cyber Security SVP said this fine brings to light some vital lessons for other businesses observing this crisis from a distance.
He said, “By becoming the highest fined company since GDPR came into force, Google is now the black and white case study of ‘what could happen’ in the event of non-compliance.
“In a privacy-first world, companies must build a people-centric compliance strategy, which can only start by getting visibility into highly regulated data, the systems that process that data and identifying who within your business has access to that data.”