The CNIL said the fine was imposed for breaches of GDPR regulations relating to transparency and processing of company user data for advertising purposes.
This is the biggest fine that has been imposed so far under the new EU-wide Privacy Act applicable for eight months. The previous one was a fine of 400.000 € imposed on a Portuguese hospital.
The fine came after activists' privacy complaints at the end of May last year. Max Schrems and the non-profit organization None of Your Business (NOYB) were among the first to denounce Google and Facebook after the GDPR came into force on May 25. The French digital rights group La Quadrature du Net also filed a complaint with Google a few days later.
Both of Google's complaints were essentially about the "coercive consent" that the company uses to obtain the data. According to the complaints, Google did not have the legal basis for processing the data, as it was leading users to consent to processing it without understanding it.
"We are very pleased that for the first time a European data protection authority is using the capabilities of the GDPR to punish clear violations of the law," Schrems said in a statement.
“After the introduction of GDPR, we found that big companies like Google interpreted the law differently and often adapted it superficially to their products. It is important for the authorities to make it clear that simply claiming compliance is not enough. "
Οι ρυθμιστικές αρχές αποφάνθηκαν ότι η Google είναι “υπερβολικά γενική και ασαφής” όταν δηλώνει στους χρήστες πώς θα χρησιμοποιήσει τα δεδομένα τους, και ότι απουσιάζουν πληροφορίες για το χρονικό space αποθήκευσης των δεδομένων.
So Google does not have the valid consent of its users to process their data. Their consent is neither "specific" nor "clear" as required by the GDPR, says CNIL.
France's maximum fine for data protection it was just €150.000, although it rose to €3 million two years before the GDPR came into force. Now that the new EU-wide law is in place, the cap has been raised to €20 million or 4% of the total annual revenue of the offending company.
Alphabet recorded $ 110,8 2017 revenue for 4, which means CNIL could theoretically ask the company for a fine of XNUMX billion.
The CNIL said it is demanding a fine of 50 million due to the seriousness of the violation, and that if Google does not change ways, the fines will increase.