Updated: Apr 13
Google was fined 50 million euros by the French data regulator Commission Nationale de l’informatique et des libertés (CNIL) for breaking the data protection rules of the European Union particularly for not being transparent, not disclosing adequate information and no valid basis of consent in their ad personalization. According to CNIL, Google failed to inform its users regarding the collection of data for personalized advertising. Google reportedly reasoned out that they were “studying the decision” to determine their next step.
Privacy right groups None-of-your-business (NOYB) and La Quadrature du Net (LQDN) filed a case against the giant company last year claiming that Google lacked the legal basis to use data for ad personalization as implemented under the rules and regulation of GDPR
The case filed against Google was handled by the regulator despite its main headquarters being in Ireland as the watchdog there didn’t have any decision making powers over its Android operating system and its services.
Google has been fined for its lack of transparency as they did not ask for a proper agreement to process personal data of its users has been spread on several documents. This information, according to the regulator can be accessed after only several steps and is difficult for the subject to understand.
Furthermore, CNIL stated that Google did NOT have consent to obtain a legal basis in processing the data of its users. According to the regulator, the information gathered in processing the personalization of ads has been distributed in several documents which mask its true intention making the users unaware.
It said that the option to personalize advertisements is already inevitable as it already comes when creating an account disrespecting the rules of GDPR.
CNIL claims that Google is asking consent to its users through all the processing operation purposes which are written in their terms and agreement. This in itself is problematic with GDPR because the regulation specifically asks for processing operations and its DISTINCT purpose, which is something that the tech giant failed to inform/state.
The French regulator stated that Google is responsible to comply with its obligations where the company promised to meet the high standards and expectations of both the people and GDPR when it comes to transparency and control.
May this serve as a lesson to Google in this GDPR-driven era to prevent a mistake from happening ever again and for the safety of millions.