Google fined €50 million for first major violation of GDPR

Google has been fined almost €50 million ($57m) by French regulators for violating Europe’s strict data-privacy rules. The fine marks the first major penalty brought against a U.S. technology giant since the General Data Protection Regulation (GDPR) took effect in May 2018. Under the regulation, users must be given a full, clear picture of the data collected, along with simple, specific tools for users to consent to having their personal information harnessed.

According to France’s top data-privacy agency (CNIL), Google failed to fully disclose to users how their personal information is collected and what happens to it. The watchdog also said that Google also did not properly obtain users’ consent for the purpose of showing them personalised ads, thus failing to comply with the GDPR.

Despite Google’s changes to its business practices, the CNIL said in a statement that “the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations.”

French regulators began investigating Google on 25 May 2018, the day the GDPR came into effect in response to concerns raised by two groups of privacy activists. They filed additional privacy complaints against Facebook and its subsidiaries, photo-sharing app Instagram and messenger service WhatsApp, in other EU countries.

Full details about what Google does with users’ personal information are “excessively disseminated across several documents,” according to the CNIL. The lack of transparency is even more worrying for users because of the sheer volume of services Google operates, including its Maps service, YouTube and its app store.

It is not enough that users can modify their privacy settings when creating an account, partly because the default setting is for Google to display personalised ads to users. The French regulator also found fault with the terms and conditions as it requires users to agree to everything or nothing at all.

For Google, this is the latest headache in Europe with regulators from the region also investigating the tech company for its privacy practices and scrutinising it on anti-trust grounds. Last year, it faced a much larger, a record fine of €5.6 billion ($5bn) for stifling competitors on Android, its smartphone operating system.