Google fined £44m by French data regulator over GDPR breach
French data watchdog CNIL has issued a Google a £44m fine for failing to follow general data protection regulation (GDPR) data protection rules.
The tech giant was fined over a "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation". The watchdog also said that it hadn’t "sufficiently informed" users about how user data was being used to personalise advertising.
In a statement, Google said it was "studying the decision" to determine its next steps.
Google fined by CNIL
The fine comes after the EU-wide GDPR was implemented on 25 May 2018. Almost immediately after the legislation took effect, two French advocacy groups filed complaints outlining a concern that Google’s pop up forms relied upon ‘forced consent’ by implying services would not be available without signing up.
Google had made changes to its operations in the wake of the GDPR implementation, however CNIL did not find these measures to its satisfaction. Particularly the pre-checking of select tracking options.
Google could appeal the decision. It said in a statement: “People expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of the GDPR.”
Phil Lee, partner at European law firm Fieldfisher, suggested that this is the first sign that regulators are willing to use the "whopping" new fining powers they now have under GDPR.
The fine was issued by French regulators despite Google's headquarters being in Ireland because Irish authorities did not have "decision-making power" over Google's Android operating system and Google's services.
The latest marketing news and insights straight to your inbox.
Get the best of The Drum by choosing from a series of great email briefings, whether that’s daily news, weekly recaps or deep dives into media or creativity.Sign up
Lee added: "Data-driven firms should not get complacent about who their lead authority is. Google had its EU headquarters in Ireland, but the CNIL led this investigation and enforcement (not the Irish DPC).
"It's time to get serious about unambiguous consent for targeted ads. Companies should not be asking people to ‘agree’ to their entire privacy notice. It doesn't work. Consent needs to be specific.
“Will this lead to an appeal? It would be naive not to expect one. The size of the fine and the significance to online advertising revenues (and certain business models) means an appeal is all but certain. Longer term, there is a query over what impact this will have on the future of tech, data collection and ad personalisation - is this the beginning of the revolution, or will fines simply be seen as a cost of doing business...?"
Lawyer Eduardo Ustaran, co-director of the global Privacy and Cybersecurity practice of law firm Hogan Lovells addressed the grey areas facing the implementation of the act at the close of 2018. He said: “It’s a complex piece of legislation and we’ll be learning for years how to implement it.”
Research indicates that the UK public believes that GDPR has only slightly reduced unsolicited marketing comms.
Amazon, Apple, Google, Netflix and Spotify all face similar data use complaints that could result in similar fines if upheld.