Google has been fined almost $57 million (roughly Rs. 406 crores) by French regulators for breaking Europe’s demanding new data-privacy principles, marking the first significant punishment caused by a US tech giant because the regionwide regulations took effect last year.
France’s top data-privacy agency, known as the CNIL, stated Monday that Google failed to fully disclose to users how their personal information is collected and what happens to it. Google also did not properly obtain users’ consent for the purpose of showing them personalised advertisements, the watchdog agency said.
To French authorities, Google’s business practices conducted afoul of Europe’s new General Data Protection Regulation. Founded in 2018, the sweeping privacy rules, commonly known as GDPR, have set a worldwide benchmark that’s forced Google and its technology peers in Silicon Valley to rethink their data-collection practices or risk sky-high fines.
America lacks a similar, overarching federal consumer privacy law, a lack in the eyes of privacy rights advocates that’s elevated Europe since the world’s de facto privacy cop.
Despite Google’s recent changes comply with the E.U. rules, the CNIL stated in a statement that”the infringements observed deprive the consumers of essential guarantees concerning processing operations which could disclose significant pieces of their private life because they are based on a huge number of data, a huge array of services and almost unlimited possible combinations.”
In response, Google said it’s”analyzing the decision to determine our next steps,” adding:”People expect high standards of control and transparency from us. We are deeply committed to meeting those expectations and the approval requirements of this GDPR.”
French authorities began investigating Google on May 25 – the day GDPR went into effect – in reaction to issues raised by two groups of privacy activists. They filed additional privacy complaints against Facebook and its subsidiaries, photo-sharing program Instagram and messenger service WhatsApp, in other EU countries.
“We are extremely happy that for the first time a European data protection authority is using the options of GDPR to punish clear violations of this law,” said Max Schrems, the chief of the nonprofit noyb.eu (None of Your Organization ). “It is important that the police make it clear that just claiming to be complaint isn’t enough.”
The French fine could presage even harder evaluation of Google and the rest of Silicon Valley in Europe, which already has shown its willingness to penalize US-based tech firms for their missteps. In recent years, EU officials have penalised Apple for its tax clinics, probed Facebook for several privacy scandals and slapped Google with a record-breaking fine on fees it sought to undermine its corporate competitors.
“The big question now is why the Federal Trade Commission failed to act contrary to the technology companies over these many years,” said Marc Rotenberg, the executive director of the Electronic Privacy Information Center. The FTC is Washington’s best privacy and security watchdog.
Beneath the E.U’s data privacy legislation, technology giants such as Google have to give users a full, clear picture of the information they accumulate, along with easy, special tools for consumers to consent to having their personal information tapped. In both cases, France said that Google had erred. Full details about exactly what Google does with customers’ personal information are”excessively sprinkled across several files,” according to the CNIL. The lack of transparency is much more jarring to consumers, the watchdog said, because of the sheer volume of services Google operates – including its maps service, YouTube and its app shop.
Though Google users can alter their privacy settings when they create an account, French authorities stated it isn’t enough – partly because the default setting is for Google to exhibit personalised ads to users. Meanwhile, Google requires individuals who register to consent to its terms and conditions in full to make their own account, a form of permission the CNIL faulted since it requires customers to agree to everything – or not use the service in any way.
Some consumer advocates nevertheless bristled that France had not gone much. La Quadrature du Net, one of the groups who filed the complaint against Google, lamented it is”quite low compared to Google’s annual turnover.”
While the team said it appreciated the first movement to nice Google, they believed that the French regulators had focused solely on a small portion of the tech company’s alleged violations. They said they expected that the enforcement agency would respond soon to the remainder of their complaint, and they noted that the highest potential fine is more than $4.7 billion (approximately Rs. 33,500 crores).
Estelle Massé, a data protection expert in the advocacy group Access Now, explained the French ruling “the first major signal” about Europe’s openness to apply GDPR. Other companies, she explained, had participated in practices similar to Google, increasing the risk that extra US tech giants may face fines of their own.
“Google isn’t the only one doing so,” Massé said. “This is significant for Google as a business but also for other actors.”