The fine is the first significant penalty brought against a US technology giant since the regionwide regulations took effect last year and will probably not be the last.
France’s top data-privacy agency, CNIL, said Google failed to disclose to users how their personal information is collected and what happens to it. Google did not correctly obtain users’ consent to show them personalised ads.
As such, Google’s business practices ran afoul of Europe’s new General Data Protection Regulation. Implemented in 2018, the sweeping privacy rules, commonly referred to as GDPR, have set a global standard that has forced Google and its tech peers in Silicon Valley to rethink their data collection practices or risk skyhigh fines.
The United States does not have a federal consumer privacy law, because big tech pays a lot of money to lobby politicians to make sure it does not happen. That has started to change with some big tech companies welcoming a GDPR over the pond. Although we suspect that might change as they get rough handling by the Euro law. Its watchdog, the FTC, has mostly been locked in its kennel on matters of privacy.
Despite Google’s recent changes to comply with the EU rules, the CNIL said in a statement that “the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations.”
Google said it is “studying the decision to determine our next steps... People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.”
French regulators began investigating Google on May 25 — the day GDPR went into effect — in response to concerns raised by two groups of privacy activists. They filed additional privacy complaints against Facebook and its subsidiaries, photo-sharing app Instagram and messenger service WhatsApp, in other E.U. countries.
Full details about what Google does with users’ personal information are “excessively disseminated across several documents”, according to the CNIL. The lack of transparency is even more jarring to users, the watchdog said, because of the sheer volume of services Google operates — including its Maps service, YouTube and its app store.
Even though Google users can modify their privacy settings when they create an account, French regulators said it still isn’t enough — partly because the default setting is for Google to display personalised ads to users. Meanwhile, Google requires people who sign up to agree to its terms and conditions in full to create their accounts, a form of consent that the CNIL faulted because it requires users to agree to everything — or not use the service at all.
The only thing that Google has to be happy about the ruling was that the fine was so low in comparison to Google's earnings. The outfit could have been hit with a penalty of $4.7 billion.
It is likely that the level is more of a slap on the rump with a wet newspaper in the hope that the search engine will get into line.
Estelle Massé, a data protection expert at the advocacy group Access Now, described the French ruling as “the first big signal” about Europe’s willingness to enforce GDPR. Other companies, she said, had engaged in practices similar to Google, raising the possibility that additional U.S. tech giants could face fines of their own.
“Google is not the only one doing this”, Massé said. “This is significant for Google as a company but also for other actors.”