Google has been fined 50 million euros by the French data regulator National Data Protection Commission (CNIL,) for a breach of the EU's data protection rules.
CNIL said it had levied the record fine for "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation".
The regulator said it judged that people were "not sufficiently informed" about how Google collected data to personalise advertising.
In a statement, Google said it was "studying the decision" to determine its next steps.
On 25 and 28 May 2018, the CNIL said it received group complaints from the associations None Of Your Business (NOYB) and La Quadrature du Net (LQDN). In the two complaints, the associations reproach GOOGLE for not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalization purposes.
The CNIL immediately started investigating the complaints. On 1st June 2018, in accordance with the provisions on European cooperation as defined in the General Data Protection Regulation (GDPR), the CNIL sent these two complaints to its European counterparts to assess if it was competent to deal with them.
In September 2018, the CNIL examined the compliance of the processing operations implemented by Google with the French Data Protection Act and the GDPR by analysing the browsing pattern of a user and the documents he or she can have access, when creating a Google account during the configuration of a mobile equipment using Android.
The CNIL concluded that the information provided by Google "was not easily accessible for users." Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are disseminated across several documents, with buttons and links on which it is required to click to access complementary information, CNIL said.
Moreover, the French regulator observed that some information "was not always clear nor comprehensive."
"Users are not able to fully understand the extent of the processing operations carried out by Google. But the processing operations are particularly massive and intrusive because of the number of services offered (about twenty), the amount and the nature of the data processed and combined," CNIL said.
Google states that it obtains the user’s consent to process data for ads personalization purposes. However, CNIL considers that the consent is not validly obtained for two reasons.
Users’ consent is not sufficiently informed. The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent, CNIL said.
The collected consent is neither “specific” nor “unambiguous”. When an account is created, the user can admittedly modify some options associated to the account by clicking on the button "More options", accessible above the button "Create Account". It is notably possible to configure the display of personalized ads, CNIL said. "That does not mean that the GDPR is respected. Indeed, the user not only has to click on the button “More options” to access the configuration, but the display of the ads personalization is moreover pre-ticked."
This is the first time that the CNIL applies the new sanction limits provided by the GDPR. "The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent," CNIL said.