The $56.8 million fine (50 million euros) was handed down by France’s privacy regulator, National Data Protection Commission (CNIL). In a statement announcing the fine, CNIL said Google violated two provisions of the GDPR. Those violations included lack of transparency and information, and not having the legal basis to process user data for personalized advertisements.
CNIL says the lack of transparency violation stems from a Google user not being able to easily tell all the information Google collects about them when signing up for its services:
Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information. The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions.
As for not having the legal basis to process user data for personalized advertisements, CNIL says:
The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent. For example, in the section “Ads Personalization,” it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, YouTube, Google home, Google maps, Playstore, Google pictures . . . ) and therefore of the amount of data processed and combined.
What’s particularly notable about CNIL’s ruling is that the organization launched its investigation into Google’s GDPR violations on June 1, 2018–less than a week after the GDPR took effect. Also, under the old rules that came before GDPR replaced them, Google would have only been fined $170,000 (150,000 euros) for the same violations instead of $56.8 million.
Google does have an opportunity to dispute CNIL’s findings before it’s forced to hand over the massive fine, however. As the company told Bloomberg, “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”