Fine comes a day before Google’s EU move…
France’s data protection watchdog CNIL has finedÂ Google â¬50 million (Â£44 million) for breaching Europe’sÂ General Data Protection Regulation (GDPR) – just one day before GoogleÂ moves its service provision to Dublin from the US and makes Google Ireland Limited the âdata controllerâ legally responsible for EEA and Swiss usersâ information.
The watchdog found that Google is not GDPR-compliant for two reasons: 1) data processing for new Android users appears to happen outside Europe without consent and 2) data processing permissions intended to help personalise ads are not transparent enough for users. (The original complaint focussed on the notion of “forced consent“).
Broad consent such as this is banned under GDPR.
Google GDPR Fine: Information “Scattered”
“The general architecture of the information chosen by the company does not respect the obligations of the Regulation. Essential information, such as the purposes for which the data is processed, the length of time the data is stored, or the categories of data used to personalise the advertisement, are excessively scattered throughout several documents, which include buttons and links that it is necessary to activate to read additional information” CNIL said in a French language statement.
Google said it is studying the statement.
It added: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.”
Varonis‘s Matt Lock in an emailed comment described the fine as likely to “quickly dispel any lingering doubts that the EU would go easy on companies found in violation of the GDPR. The news should be hitting companies like a cold shower.”
“Itâs not a stretch to say that a proverbial storm is gathering as privacy groups rally to their cause and seek to uphold major global companies as examples of lax privacy controls. The news should serve as an impetus to organisations that have yet to prioritise their GDPR compliance programs and hoped to simply fly under the radarâ their luck may be running out soon.â
Eight Firms At Risk
The fine comes after complaints were filed by two privacy rights groups and just a day before Google belatedly makesÂ Google Ireland Ltd the become the âservice providerâ responsible for most of its consumer services, from Search to Gmail to Maps.
The company’s European headquarters in Dublin will also now beÂ the âdata controllerâ legally responsible for EEA and Swiss usersâ information.
With one of the original complainants, noyb, on Friday filing fresh complaints against eight tech firms including Apple, Amazon,Â Netflix,Â Spotify and YouTube, alarm bells will be ringing across the Atlantic. Those complaints come afterÂ noyb its testing of GDPR’s âright to accessâ clause found that none of the companies responded effectively.
Under GDPR users can request a copy of all raw data that a company holds about the user, as well as additional information about the sources and recipients of the data, the purpose for which the data is processed or information about the countries in which the data is stored and how long it is stored.
Yet after requesting it from eight streaming companies no service fully complied, they said.
“While many smaller companies manually respond to GDPR requests, larger services like YouTube, Apple, Spotify or Amazon built automated systems that claim to provide the relevant information. When tested, none of these systems provided the user with all relevant data.”
Max Schrems, director ofÂ noyb: âMany services set up automated systems to respond to access requests, but they often donât even remotely provide the data that every user has a right to. In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of usersâ rights, as these systems are built to withhold the relevant information.â