Google has been fined nearly US$57 million (NZ$85 million) by French regulators for violating Europe's tough new data-privacy rules, marking the first major penalty brought against a US technology giant since the region-wide regulations took effect last year.
France's top data-privacy agency, known as the CNIL, said Monday that Google failed to fully disclose to users how their personal information is collected and what happens to it. Google also did not properly obtain users' consent for the purpose of showing them personalised ads, the watchdog agency said.
French regulators said Google's business practices had run afoul of Europe's new General Data Protection Regulation. Implemented in 2018, the sweeping privacy rules commonly referred to as GDPR have set a global standard that has forced Google and its tech peers in Silicon Valley to rethink their data-collection practices or risk sky-high fines.
The United States lacks a similar, overarching federal consumer privacy law, a deficiency in the eyes of privacy hawks that has elevated Europe as the world's de facto privacy cop.
Despite Google's changes to its business practices, the CNIL said in a statement that "the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations."
In response, Google said it is "studying the decision to determine our next steps," adding: "People expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of the GDPR."
French regulators began investigating Google on May 25 - the day GDPR went into effect - in response to concerns raised by two groups of privacy activists. They filed additional privacy complaints against Facebook and its subsidiaries, photo-sharing app Instagram and messenger service WhatsApp, in other EU countries.
"We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law," said Max Schrems, the leader of the nonprofit noyb.eu (None of Your Business). "It is important that the authorities make it clear that simply claiming to be complaint is not enough."
Under Europe's data privacy law, tech giants including Google must give users a full, clear picture of the data they collect, along with simple, specific tools for users to consent to having their personal information harnessed. In both cases, France said that Google had erred. Full details about what Google does with users' personal information are "excessively disseminated across several documents," according to the CNIL. The lack of transparency is even more jarring to users, the watchdog said, because of the sheer volume of services Google operates - including its maps service, YouTube and app store.
Even though Google users can modify their privacy settings when they create an account, French regulators said it still isn't enough - partly because the default setting is for Google to display personalized ads to users. Meanwhile, Google requires people who sign up to agree to its terms and conditions in full in order to create their accounts, a form of consent that the CNIL faulted because it requires users to agree to everything -- or not use the service at all.
For Google, its fine in France marks only its latest headache in Europe. Regulators throughout the region repeatedly have investigated the search giant for its privacy practices, while EU watchdogs have scrutinized Google on antitrust grounds. In 2018, Google faced a much larger, record US$5 billion fine for stifling competitors on Android, its smartphone operating system.
- Washington Post