For the first time since European policymakers adopted the bloc’s new data privacy law last May. France’s National Commission for Informatics and Liberties (CNIL) has fined Google €50 millionfor failing to properly disclose to users how data is collected across its services, including its search engine, Google Maps and YouTube., applying the EU General Data Protection Regulation (GDPR).
CNIL underlined that Google breached the GDPR rules around transparency and also failed to provide a valid legal basis when processing people’s data in order to present personalised advertisements. In September, the French regulator studied the information made available to users when they created a Google account on a new Android phone.
The previous record to date was a €400,000 on July 17, 2018, when the Portuguese Supervisory Authority (CNPD) fined a hospital for violating the GDPR rules. According to that decision, the hospital did not put in place appropriate the technical and organisational measures to protect patient data.
The fine follows a series of complaints from privacy activists against Google and Facebook. Immediately after the GDPR took effect, a crowdfunding group called None Of Your Business (NOYB), led by Max Schrems, sued Facebook on multiple occasions,.A complaint against Google was also made public by a French digital rights group La Quadrature du Net during that first week of GDPR.
“We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law,” said Schrems in a statement. “Following the introduction of GDPR, we have found that large corporations such as Google.
In response to the decision, Google issued a statement saying, “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”