France’s data protection watchdog CNIL has fined Google €50 million (£44 million) for breaching Europe’s General Data Protection Regulation (GDPR) – just one day before Google moves its service provision to Dublin from the US and makes Google Ireland Limited the “data controller” legally responsible for EEA and Swiss users’ information.
The watchdog found that Google is not GDPR-compliant for two reasons: 1) data processing for new Android users appears to happen outside Europe without consent and 2) data processing permissions intended to help personalise ads are not transparent enough for users. (The original complaint focussed on the notion of “forced consent“).
Google also by default ticks a box that says “I agree to the processing of my information as described above and further explained in the Privacy Policy” when a user creates a new account on their smartphone, without clearly specifying that this is for personalised ads not just on Android but across Youtube et al.
Broad consent such as this is banned under GDPR.
Google GDPR Fine: Information “Scattered”
“The general architecture of the information chosen by the company does not respect the obligations of the Regulation. Essential information, such as the purposes for which the data is processed, the length of time the data is stored, or the categories of data used to personalise the advertisement, are excessively scattered throughout several documents, which include buttons and links that it is necessary to activate to read additional information” CNIL said in a French language statement.
Google said it is studying the statement.
It added: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.”
Content from our partners
“A cold shower” for US enterprises?
Varonis‘s Matt Lock in an emailed comment described the fine as likely to “quickly dispel any lingering doubts that the EU would go easy on companies found in violation of the GDPR. The news should be hitting companies like a cold shower.”
“It’s not a stretch to say that a proverbial storm is gathering as privacy groups rally to their cause and seek to uphold major global companies as examples of lax privacy controls. The news should serve as an impetus to organisations that have yet to prioritise their GDPR compliance programs and hoped to simply fly under the radar– their luck may be running out soon.”
Eight Firms At Risk
The fine comes after complaints were filed by two privacy rights groups and just a day before Google belatedly makes Google Ireland Ltd the become the “service provider” responsible for most of its consumer services, from Search to Gmail to Maps.
The company’s European headquarters in Dublin will also now be the “data controller” legally responsible for EEA and Swiss users’ information.
With one of the original complainants, noyb, on Friday filing fresh complaints against eight tech firms including Apple, Amazon, Netflix, Spotify and YouTube, alarm bells will be ringing across the Atlantic. Those complaints come after noyb its testing of GDPR’s “right to access” clause found that none of the companies responded effectively.
See also: Irish Judge Warns of “Potentially Grave Prejudice” in Max Schrems Case
Under GDPR users can request a copy of all raw data that a company holds about the user, as well as additional information about the sources and recipients of the data, the purpose for which the data is processed or information about the countries in which the data is stored and how long it is stored.
Yet after requesting it from eight streaming companies no service fully complied, they said.
“While many smaller companies manually respond to GDPR requests, larger services like YouTube, Apple, Spotify or Amazon built automated systems that claim to provide the relevant information. When tested, none of these systems provided the user with all relevant data.”
Max Schrems, director of noyb: “Many services set up automated systems to respond to access requests, but they often don’t even remotely provide the data that every user has a right to. In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of users’ rights, as these systems are built to withhold the relevant information.”
