Regulators impose €50M fine for Google because of privacy issues

The French authorities allege that the technological company is undertaking acts with serious lack of transparency

Network security and ethical hacking specialists from the International Institute of Cyber Security report that, in accordance with the General Data Protection Regulation (GDPR), the French National Commission of Informatics and Freedoms (CNIL) imposed a €50M fine to Google for “violations of transparency and information management, as the company did not request users’ consent to process their data for advertising personalization purposes”.

This measure was taken in consequence of the lawsuits presented by the non-governmental organization None Of Your Business (NOYB), dedicated to the defense of the privacy of technology users; the NGO argued that “Google does not have a solid legal basis for processing the data of its users for commercial purposes”.

This is one of the first hard tests the GDPR is facing, which came into force last May, commented experts in network security, as NOYB presented four complaints against Google, Facebook, WhatsApp and Instagram the same day, all them arguing “users’ forced consent”.

Once the complaints were received, the CNIL began an investigation to see if Google failed to comply with any of the requirements established in the GDPR and the Data Protection Act of France. At the end of the investigation, the CNIL concluded that Google failed to comply with two requirements established in the GDPR, since it does not guarantee easy access to basic information about its services, besides that it does not obtain the user’s consent to access their personal data in a legitimate way.

Experts in network security and privacy commented that, although Google publishes all the information required by the GDPR, the company makes it difficult for users to find it, as well as the information is ambiguous and incomplete, says the CNIL.

“Elementary information, such as data processing purposes or personal data storage time lapses is intentionally difficult to gather. For example, if a user wants to know how the company processes and stores their personal data, it must invest a considerable amount of time to find all the information they request from Google,” mentions CNIL’s research.

In addition, the report mentions that although Google claims to request the express consent of its users before processing their data for commercial purposes, it was found that this does not happen this way, as users are not sufficiently informed during this process, in addition to the information that Google shows can be ambiguous or not specific.

Google is not the first company failing to comply with the GDPR

NOYB also filed a complaint against YouTube, another online service owned by Google, for violating one of the main provisions of the GDPR (rights of access), which could generate a fine of up to €4 Billion, comment NOYB.

In November 2018, a few months after the entry into force of the GDPR, Google was allegedly incurring misleading practices to track the location of its users.