Today, France's top data-privacy agency, known as the CNIL, issued the very first major penalty against a USA company for violating Europe's strict new data privacy laws, via The Washington Post. Implemented in 2018, the sweeping privacy rules commonly referred to as GDPR have set a global standard that has forced Google and its tech peers in Silicon Valley to rethink their data-collection practices or risk sky-high fines.
The French watchdog's fine against Google follows complaints filed by None Of Your Business (NOYB) and La Quadrature du Net (LQDN) on 25 and 28 May 2018 against Google LLC for "not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalization objective".
The two complaints were filed jointly on the day the law went into effect by the French digital advocacy group La Quadrature du Net and the group Noyb.eu, a watchdog organization started by Max Schrems.
The commission said users were "not sufficiently informed" about what they were agreeing to and there was a "lack of transparency, inadequate information and lack of valid consent" regarding ad personalisation for users.
The EU's General Data Protection Regulation (GDPR), the biggest shake-up of data privacy laws in more than two decades, came into force in May.More news: Boateng set for shock Barcelona move
More news: AC Milan coach Gattuso: Piatek has some very specific characteristics
More news: Updated Patriots-Chiefs Weather Forecast: Should Bettors Worry About Cold Temperatures?
Google didn't immediately respond to a request for comment.
They said Google had made it too hard for users to understand and manage preferences on how their personal information is used, in particular with regards to targeted advertising. It has been reported that Google is "studying the decision", but the company has previously admitted it would comply with GDPR rules.
Users' "consent" is now set as the global default setting, which fails to meet the regulator's requirement that companies obtain "specific" consent.
The company's infringements "deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life", the commission said. However, the GDPR provides that the consent is "specific" only if it is given distinctly for each goal.
Rather, it pointed out that not only is this buried under a "more options" button, but also that the choice of ads personalisation is a pre-ticked box (this is a GDPR no-no as consent is only considered unambiguous if there is a clear affirmative action from the user).
The severity of the violations, in this case, was also amplified by the fact that Google is still violating GDPR's provisions in a continuous form as detailed by the French watchdog's report.