It didn't take long for Google and its penchant for harvesting data without the permission of its users to violate Europe's tough new privacy law called the General Data Protection Regulation (GDPR) law.
Google is the first U.S. tech firm to be penalized for violating GDPR.
Implemented only in May 2018, GDPR primarily aims to give control to Europeans over their personal online data. It also simplifies the regulatory environment for international business by unifying existing online data privacy regulations within the EU and its 27 member states.
GDPR mandates that controllers of personal data such as Google and Facebook must put in place appropriate technical and organizational measures to implement its data protection principles.
Google seems to have either wittingly or unwittingly violated GDPR. Whatever the true reason, France's National Commission on Informatics and Liberty (CNIL in French) fined Google some $57 million (€50,000) for running afoul of GDPR.
CNIL said Google failed to comply with the new rules. Among Google's infractions: getting the consent of users before exposing them to personalized ads, and explaining how a user's personal information will be used on the site and how it's collected.
In a statement, CNIL said essential information such as data processing purposes; data storage periods or the categories of personal data used for personalizing ads are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information.
It noted that the relevant information is accessible after only several steps. For example, this is the case when a user wants to have complete information on his or her data collected for the personalization purposes or for the geo-tracking service.
The agency also complained that privacy information Google gave to users was not always clear and comprehensive.
"The restricted committee observes in particular that the purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes," said CNIL.
CNIL pointed out the information communicated by Google is not clear enough so a user can understand the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company.
For its part, Google said it's reviewing the CNIL's decision to determine its next steps.
Noting that people expect high standards of transparency and control from it, Google affirmed it's deeply committed to meeting those expectations and the consent requirements of the GDPR.
