Google has been fined in France with 50 million euros for "lack of transparency, incorrect information and lack of valid consent in personalized advertising," announced Monday the National Commission for Information and Freedoms (CNIL), the French body in charge of veiling for data protection.
The CNIL is the first European regulatory body that sanctions a global Internet platform based on the new European data protection regulation (RGPD) that entered into force on May 25. The decision to impose such a high fine is due, explained the CNIL, to the "seriousness of the violations observed in the principles of data protection: transparency, information and consent".
Google said it will analyze the decision to determine what will be its "next steps" and defended its commitment to achieve the "high standards of transparency and control" that users expect from the company, reports Efe. "We are very committed to meeting these expectations and the consent requirements of the RGPD," said the multinational.
The CNIL studied the case at the request of two organizations: the Austrian None Of Your Business (NOYB), which filed a complaint against Android, the Google operating system, and La Quadrature du Net (LQDN). This French association had submitted to the agency 12,000 signatures in support of their claims against the companies Google, Apple, Facebook, Amazon and Microsoft.
According to the rules established by the RGPD, which provides that the investigation of a case is in the hands of the data protection agency of the country where the defendant company has its "activity center", under the "single window" principle, the CNIL he delegated to his Irish colleagues the lawsuits against Apple, Facebook and Microsoft; and in the Luxembourgers that of Amazon, since that is where the US giant focuses its activities within the European Union, explains LQDN. However, in the case of Google, the CNIL decided to take action when considering that, although its European headquarters are in Ireland, "Google is not considered to have a main institution in the EU", which allowed it to act, points out the organism.
According to the CNIL, the irregularities detected in the US multinational "leave users without their essential guarantees, since they practice operations that can reveal important parts of their private lives." Although he acknowledges that Google has taken some steps, such as the presentation of tools configuration, consider that these are not enough.
"We do not deny that Google reports" to the user who opens an account about what will be done with their data, the director of data protection and penalties of the CNIL, Mathias Moulin, told Agence France Presse. "But the information is not easily accessible, it is disseminated in different documents" that the Internet user never finishes consulting. "Sometimes you have to do up to five clicks to access information," Moulin said as a sign of the lack of "clear and understandable" information that is being claimed from Google.
Celebration of the two plaintiffs
"We are very pleased that for the first time, a European data protection authority uses the possibilities of the RGPD to punish clear violations of the law," NOYB president Max Schrems said. "It is important for the authorities to make it clear that limiting themselves to ensuring compliance with standards is not enough," he added. The French also celebrated the fine and that the CNIL has frustrated the "escape attempt" of Google, which as of Tuesday will be clearly established in Ireland. Even so, he considered the sanction insufficient. "We want the CNIL to recognize that our consent is only valid if it is freely given. And that clearly explains that Google can not force us to accept your targeted advertising to use their services, "he said.