French watchdog slaps Google with $57M fine under new European Union law
Google has been fined $57 million by a French regulator for not presenting transparent information about its data-gathering practices.
Around 10,000 people signed the initial petition to initiate an investigation, which was filed by France's Quadrature du Net group and None Of Your Business, an NGO which advocates for consumer privacy.
They said Google had made it too hard for users to understand and manage preferences on how their personal information is used, in particular with regards to targeted advertising. [.] Therefore, the user gives his or her consent in full, for all the processing operations purposes carried out by GOOGLE based on this consent (ads personalization, speech recognition, etc.).
Additionally, Acxiom, Oracle, Criteo, Quantcast, Tapad, Equifax, and Experian were also subjects of a GDPR complaint filed by user rights group Privacy International due to their practice of collecting the data of millions and using it to create user profiles. We're deeply committed to meeting those expectations and the consent requirements of the GDPR, ' a Google spokesperson said in a statement.
Google has yet to issue a statement on the fine.
"Following the introduction of GDPR, we have found that large corporations such as Google simply "interpret the law differently" and have often only superficially adapted their products", Schrems said in a statement. They also found that information about the retention period is not provided for some data.
"It is important that the authorities make it clear that simply claiming to be compliant is not enough".
The first complaint under the EU's new general data protection regulation (GDPR) was filed on 25 May 2018, the day the legislation took effect. However, the GDPR provides that the consent is "specific" only if it is given distinctly for each objective.
The regulator also pointed out that Google is "too generic and vague" when telling users how it will use their data, and there is also information missing about how long the data will be stored.
Even though Google users can modify their privacy settings when they create an account, French regulators said it still isn't enough - partly because the default setting is for Google to display personalized ads to users.
Indeed, the user not only has to click on the button "More options" to access the configuration, but the display of the ads personalization is moreover pre-ticked. Now that the new, EU-wide law is in place, the maximum is €20 million or 4% of global annual revenues.
It said the record 50-million-euro fine reflected the seriousness of the failings as well as Google's dominant market position in France via Android. Ultimately, the GDPR's power is not just about monetary penalties, but forcing changes to business models.