French regulators hit Google with a $57 million fine for violating GDPR rules that took effect last May by being less than upfront about how user data is collected and used.
French data privacy agency CNIL levied the fine, the first against a U.S. company since GDPR took effect last spring, noting that Google
“Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information.,” CNIL said in a statement. “The relevant information is accessible after several steps only, implying sometimes up to five or six actions. For instance, this is the case when a user wants to have a complete information on his or her data collected for the personalization purposes or for the geo-tracking service.”
The agency also said Google didn’t get proper consent from users to show them personalized ads.
“It is high time to show the Internet companies that the lawmakers were serious about strengthening the right to privacy,” said Dr.-Ing Marc Al-Harmes, managing director of Cliqz GmbH, noting that without consequencesGDPR would become nothing more than a paper tiger. “To start with Google is absolutely right because its parent company Alphabet is by far the most important data monopolist. With Google search, the Android operating system, the Play Store app sales platform and the Chrome browser, the Internet giant is raising behavioral profiles in alarming detail above virtually everyone in the Western world and using them for advertising purposes. “
Al-Harmes said Google users don’t have an “effective way to escape tracking” and even the users “who completely forego Google services, which is almost impossible, stand no chance.” Cliqz statistics show that “80 percent of all the web pages we all load every day contain Google tracking software,”he said. “That alone is more than enough to monitor our behavior in the digital world.”
The Google fine signals a shift in tone by regulators and the end of an unofficial grace period of sorts. “It will likely pave the way for penalties for other prolific companies that have not yet met the demands of the new law,” said Bitglass CTO and co-founder Anurag Kahol, who noted other organizations might not be “large enough or successful enough” to absorb a large financial penalty. “This instance should be a wakeup call for organizations everywhere to begin taking data privacy far more seriously.”
Saying that CNIL was flexing its muscle, Mike Banic, vice president ofMarketing at Vectra, called the action a “clear exercise of authority signals that others will follow.”
While the fine is more modest than it could have been – the maximum penalty for Google could have been$3.5 billion, Tim Erlin, vice president, product management and strategy atTripwire, said “successful enforcement of the GDPR is an incredibly important step in determining the effectiveness of the regulation,” noting that “without teeth, no regulation can make a material difference.”
But Jonathan Bensen, interim CISO at Balbix, contended CNIL’s action “does not seem to be aimed towards solving the issue, but towards making money.” Most people, Bensen said, “should be aware that if they want enhanced digital services, they must pay the price of giving some reasonable amount of privacy away.”
So if CNIL was bent on solving the issues for which it fined Google, the agency “should suggest Google change the language in its Terms of Service versus imposing a fine without offering a solution, he said. “While it is possible to run an Android phone without a Google account, it makes it almost unusable. The same argument can be made about iPhones and needing an account with Apple. You can run the phone without one, but it severely limits the capabilities of the device.”
Regardless of whether Google may challenge the ruling, Banic said, “this is an important test of GDPR law that may bring both precedence and greater clarity around GDPR implementation for others.”
Because the ruling represents the first time a U.S. company has been penalized under GDPR, it likely will prompt organizations to “reprioritize how we handle GDPR going forward and reignite the boardroom conversations,” said Thycotic CISO Terence Jackson.