Within a month of the GDPR (General Data Protection Regulation) going into effect, Google was already seen violating the regulation. French regulatory body CNIL (National Data Protection Commission) sent two complaints on June 1, 2018 regarding Google not having a valid legal basis for processing users’ personal data.
Now, CNIL is proposing a penalty of €50 million ($56.8 million USD) against Google. According to CNIL, this is the first time the organization is applying a penalty in regards to the GDPR.
CNIL observed two breaches by Google of the GDPR. The first is that the information provided by Google is now easily accessible to users. Second, some of that information is not always clearly stated or comprehensive.
In response, Google claimed that it does obtain user consent to process data to personalize advertisements, but the committee found two reasons that this consent is not validly obtained. CNIL found that users’ consent is not sufficiently informed and is “neither ‘specific’ nor ‘unambiguous.’”
“Despite the measures implemented by GOOGLE (documentation and configuration tools), the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations. The restricted committee recalls that the extent of these processing operations in question imposes to enable the users to control their data and therefore to sufficiently inform them and allow them to validly consent. Moreover, the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement,” CNIL wrote in a post.