In its first imposition of new financial sanction limits under the European Union’s General Data Protection Regulation (GDPR), the restricted committee of France’s National Commission for Information Technology and Civil Liberties (CNIL) has imposed a 50 million euro (US$56.8 million) penalty on Google LLC for violating the GDPR by not providing easily accessible information about the treatment of collected data and by not obtaining valid user content to process data for ad personalization.
In explaining the fine, the CNIL said that users were deprived of “essential guarantees regarding processing operations that can reveal important parts of their private life,” that “the violations are continuous breaches of the Regulation as they are still observed to date,” and that the Android operating system has “an important place” in the French market, with thousands of French users creating Google accounts on their phones every day.
The case stems from May 2018 complaints with the CNIL filed by None Of Your Business (NOYB) and La Quadrature du Net (LQDN) that Google lacked a valid legal basis for processing users’ personal data, particularly for ad personalization.
“Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information. The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions. For instance, this is the case when a user wants to have a complete information on his or her data collected for the personalization purposes or for the geo-tracking service,” the CNIL said yesterday in announcing the committee’s action.
Interested in submitting an article?
Submit your information to us today!Learn More