The first major fine for breaches of the General Data Protection Regulation (GDPR) eventually amounted to 50 million. The fine was imposed on Google by the French data protection authority CNIL.
The CNIL said the fine was imposed for violations of GDPR regulations regarding the transparency and processing of company data for advertising purposes.
This is the biggest fine that has been imposed so far under the new EU-wide Privacy Act applicable for eight months. The previous one was a fine of 400.000 € imposed on a Portuguese hospital.
The fine came after activists' privacy complaints at the end of May last year. Max Schrems and the non-profit organization None of Your Business (NOYB) were among the first to denounce Google and Facebook after the GDPR came into force on May 25. The French digital rights group La Quadrature du Net also filed a complaint with Google a few days later.
Both of Google's complaints were essentially about the "coercive consent" that the company uses to obtain the data. According to the complaints, Google did not have the legal basis for processing the data, as it was leading users to consent to processing it without understanding it.
"We are very pleased that for the first time a European data protection authority is using the capabilities of the GDPR to punish clear violations of the law," Schrems said in a statement.
“After the introduction of GDPR, we found that big companies like Google interpreted the law differently and often adapted it superficially to their products. It is important for the authorities to make it clear that simply claiming compliance is not enough. "
Regulators have ruled that Google is "too generic and unclear" when it tells users how to use their data, and that there is no information on how long the data is stored.
So Google does not have the valid consent of its users to process their data. Their consent is neither "specific" nor "clear" as required by the GDPR, says CNIL.
France's maximum fine for data protection was just 150.000 euros, although it rose to 3 million euros two years before the GDPR came into force. Now that the new law is in force at EU level, the ceiling has reached 20 million or 4% of the company's total annual revenue that violates the law.
Alphabet recorded $ 110,8 2017 revenue for 4, which means CNIL could theoretically ask the company for a fine of XNUMX billion.
The CNIL said it is demanding a fine of 50 million due to the seriousness of the violation, and that if Google does not change ways, the fines will increase.