France’s data protection regulator CNIL has fined Google $50 million (£44 million) for failing to comply with its GDPR rules when new Android users set up a new phone and follow Android’s onboarding process. It is the biggest GDPR fine since the legislation came into play last May and the first time a tech giant has been found to breach the rules.
Two privacy rights groups Noyb and La Quadrature du Net filed complaints against Google in May 2018. The groups claimed the tech giant didn’t have a valid legal basis to process user data for ad personalisation. CNIL said that the fine is a result of the company not being clear enough about the way user data is handled to present personalised adverts.
Lack of transparency and unclear consent policies
CNIL concluded in the statement that Google failed to comply due to “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.” Google did not have a clear consent to process data because essential data was “disseminated across several documents.” The CNIL said users are not able to understand the extent of the processing operations as Google’s wording is obscure and the relevant information is accessible after several steps only.
Secondly, Google doesn’t fully explain what it means when you tick or untick certain settings. It said the company doesn't tell you that if you want personalised ads, it will be for many different services such as YouTube and Google Maps. In addition, when creating an account, the personalise ads option is pre-ticked by default – and it shouldn’t be.
In a statement, Google said: "People expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of the GDPR."
Under the GDPR rules, a company can be fined a maximum of 4% of its annual global turnover for more serious offenses, so Google’s fine of £44 million is relatively small when you think about Google’s earnings. The company made $33.74 billion in the last quarter alone.