French regulators on Monday hit Google with a $57 million penalty--the first fine targeting a U.S. technology giant under Europe's strict new data privacy rules.
"This fine should serve as a wake-up call for all companies whose business models are based on data exploitation to take data protection and individuals' data rights seriously."
--Ailidh Callander, Privacy International
Implemented across the European Union (EU) in May of 2018, the General Data Protection Regulation (GDPR) aims to bar tech companies from relying on "long illegible terms and conditions full of legalese" to obtain and use data. Under the new rules, "the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent."
Responding to the EUR50 million penalty levied against Google, Ailidh Callander of Privacy International said, "This fine should serve as a wake-up call for all companies whose business models are based on data exploitation to take data protection and individuals' data rights seriously."
France's digital privacy watchdog, the National Data Protection Commission (CNIL), charges that although Google took some steps to comply with GDPR, it still fails to make data processing information "easily accessible for users" and does not validly obtain consent for showing users personalized ads.
"The infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services, and almost unlimited possible combinations," a statement from CNIL said.
"This is the first time that the CNIL applies the new sanction limits provided by the GDPR," the statement noted. "The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information, and consent."
The watchdog's investigation and penalty came in response to complaints from the data protection advocacy groups None Of Your Business (NOYB) and La Quadrature du Net.
"We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law," NOYB chairman Max Schrems said in a statement.
Since GDPR was introduced, Schrems explained, "we have found that large corporations such as Google simply 'interpret the law differently' and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough."
"We welcome this first sanction based on our collective complaints, especially because this decision cuts short the attempted escape of Google to Ireland," La Quadrature du Net said in a series of tweets while also calling for further actions regarding other complaints.
Google, for its part, said in a statement that it is "studying the decision to determine our next steps." The company added: "People expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of the GDPR."
Europe's new rules, as the Washington Post pointed out, "have set a global standard that has forced Google and its tech peers in Silicon Valley to rethink their data-collection practices or risk sky-high fines. The United States lacks a similar, overarching federal consumer privacy law, a deficiency in the eyes of privacy rights advocates that has elevated Europe as the world's de facto privacy cop."
While welcoming the news out of France on Monday, consumer advocates urged U.S. regulators to follow suit. As Marc Rotenberg, the executive director of the Electronic Privacy Information Center, put it, "The big question now is why the Federal Trade Commission failed to act against the tech firms over these many years."