France’s data watchdog on Monday announced a fine of 50 million euros ($57 million) for US search giant Google, using the EU’s strict General Data Protection Regulation (GDPR) for the first time.
Google was handed the record fine from the CNIL regulator for failing to provide transparent and easily accessible information on its data consent policies, a statement said.
The CNIL said Google made it too difficult for users to understand and manage preferences on how their personal information is used, in particular with regards to targeted advertising.
“People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR,” a Google spokesperson said in a statement.
“We’re studying the decision to determine our next steps.”
The ruling follows complaints lodged by two advocacy groups last May, shortly after the landmark GDPR directive came into effect.
One was filed on behalf of some 10,000 signatories by France’s Quadrature du Net group, while the other was by None Of Your Business, created by the Austrian privacy activist Max Schrems.
Schrems had accused Google of securing “forced consent” through the use of pop-up boxes online or on its apps which imply that its services will not be available unless people accept its conditions of use.
“Also, the information provided is not sufficiently clear for the user to understand the legal basis for targeted advertising is consent, and not Google’s legitimate business interests,” the CNIL said.