Jump to content

French data protection watchdog fines Google $57 million under the GDPR


NelsonG

Recommended Posts

The CNIL, the French data protection watchdog, has issued its first GDPR fine of $57 million (€50 million). The regulatory body claims that Google has failed to comply with the General Data Protection Regulation (GDPR) when new Android users set up a new phone and follow Android’s onboarding process.

Two nonprofit organizations called ‘None Of Your Business’ (noyb) and La Quadrature du Net had originally filed a complaint back in May 2018 — noyb originally filed a complaint against Google and Facebook, so let’s see what happens to Facebook next. Under the GDPR, complaints are transferred to local data protection watchdogs.

While Google’s European HQ is in Dublin, the CNIL first concluded that the team in Dublin doesn’t have the final say when it comes to data processing for new Android users — that decision probably happens in Mountain View. That’s why the investigation continued in Paris.

The CNIL then concluded that Google fails to comply with the GDPR when it comes to transparency and consent.

Let’s start with the alleged lack of transparency. “Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information,” the regulator writes.

For instance, if a user wants to know how their data is processed to personalize ads, it takes 5 or 6 taps. The CNIL also says that it’s often too hard to understand how your data is being used — Google’s wording is broad and obscure on purpose.

Second, Google’s consent flow doesn’t comply with the GDPR according to the CNIL. By default, Google really pushes you to sign in or sign up to a Google account. The company tells you that your experience will be worse if you don’t have a Google account. According to the CNIL, Google should separate the action of creating an account from the action of setting up a device — consent bundling is illegal under the GDPR.

If you choose to sign up to an account, when the company asks you to tick or untick some settings, Google doesn’t explain what it means. For instance, when Google asks you if you want personalized ads, the company doesn’t tell you that it is talking about many different services, from YouTube to Google Maps and Google Photos — this isn’t just about your Android phone.

In addition to that, Google doesn’t ask for specific and unambiguous consent when you create an account — the option to opt out of personalized ads is hidden behind a “More options” link. That option is pre-ticked by default (it shouldn’t).

Finally, by default, Google ticks a box that says “I agree to the processing of my information as described above and further explained in the Privacy Policy” when you create your account. Broad consent like this is also forbidden under the GDPR.

The CNIL also reminds Google that nothing has changed since its investigation in September 2018.

Chairman of noyb Max Schrems has sent us the following statement:

“We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law. Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be complaint is not enough. We are also pleased that our work to protect fundamental rights is bearing fruit. I would also like to thank our supporters who make our work possible.”

Update: A Google spokesperson has sent us the following statement:

“People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”

Techcrunch?d=2mJPEYqXBVI Techcrunch?d=7Q72WNTAKBA Techcrunch?d=yIl2AUoC8zA Techcrunch?i=6dqI5HkmzaE:NXRrqvJv5Bo:-BT Techcrunch?i=6dqI5HkmzaE:NXRrqvJv5Bo:D7D Techcrunch?d=qj6IDK7rITs
6dqI5HkmzaE

View the full article

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Our picks

    • Wait, Burning Man is going online-only? What does that even look like?
      You could have been forgiven for missing the announcement that actual physical Burning Man has been canceled for this year, if not next. Firstly, the nonprofit Burning Man organization, known affectionately to insiders as the Borg, posted it after 5 p.m. PT Friday. That, even in the COVID-19 era, is the traditional time to push out news when you don't want much media attention. 
      But secondly, you may have missed its cancellation because the Borg is being careful not to use the C-word. The announcement was neutrally titled "The Burning Man Multiverse in 2020." Even as it offers refunds to early ticket buyers, considers layoffs and other belt-tightening measures, and can't even commit to a physical event in 2021, the Borg is making lemonade by focusing on an online-only version of Black Rock City this coming August.    Read more...
      More about Burning Man, Tech, Web Culture, and Live EventsView the full article
      • 0 replies
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
    • Post in What Are You Listening To?
      Post in What Are You Listening To?
×
×
  • Create New...