French Regulatory Commission Orders $50 M Fine Against Google
Google has been slapped by a 50-million Euro fine by CNIL (Commission Nationale de L’informatique et des Libertés), France’s Data Regulation Agency due to GDPR (General Data Protection Regulation) violation. CNIL’s acted on Google’s “lack of transparency, inadequate information and lack of valid consent regarding ads personalization”, and set the motion for other EU countries potentially penalizing Google for the same acts.
CNIL claims to protect users from Google’s information gathering without securing prior consent, something that personalization ads ‘monetize’, as the system detects the product preferences of their users in the background. GDPR has strictly oriented itself as a pro-consumer regional law, with Google being one of the tech giants who are in the business of gathering information for successful targeted advertising campaigns for decades.
“The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions. Users are not able to fully understand the extent of the processing operations carried out by Google. The information on processing operations for the ads personalisation is diluted in several documents and does not enable the user to be aware of their extent. The user gives his or her consent in full, for all the processing operations purposes carried out by Google based on this consent (ads personalisation, speech recognition, etc). However, the GDPR provides that the consent is ‘specific’ only if it is given distinctly for each purpose,” explained a CNIL representative.
Google on their part claims that they are in full compliance of GDPR, contrary to the claims of CNIL. “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR,” explained a Google representative.
CNIL’s action was caused by the complaints filed by Max Schrems’ None Of Your Business (NYOB) and La Quadrature de Net dated May 2018. They accused Google of capturing personal data preferences which they later use for targeted advertising, all without the permission of the user.
“Data-driven firms should not get complacent about who their lead authority is. It’s time to get serious about unambiguous consent for targeted ads. Companies should not be asking people to ‘agree’ to their entire privacy notice. It doesn’t work. Consent needs to be specific. Will this lead to an appeal? It would be naive not to expect one. The size of the fine and the significance to online advertising revenues (and certain business models) means an appeal is all but certain. Longer term, there is a query over what impact this will have on the future of tech, data collection and ad personalisation – is this the beginning of the revolution, or will fines simply be seen as a cost of doing business…?,” said Phil Lee, Fieldfisher’s representative, a law firm.
The truth is that under the mantle of the free, camouflage numerous important interests on the part of companies, individuals and even governments, of which there are great examples like this. Therefore, every precaution is little when it comes to ensuring our own privacy on the Internet since privacy is the currency in almost all services that can be found on the Internet.
Julia Sowells919 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.