France fines Google $57 million under new EU data-privacy law

French regulators said Google failed to fully disclose how users' personal information is collected and what happens to it.

By Tony Romm

Jan. 21, 2019 8:41 AM PT

Washington Post

Google has been fined about $57 million by French regulators for violating Europe’s tough new data-privacy rules. It’s the first major penalty brought against a U.S. technology giant since the regulations took effect last year.

France’s top data-privacy agency, known as the CNIL, said Monday that Google failed to fully disclose to users how their personal information is collected and what happens to it. Google also did not properly obtain users’ consent for the purpose of showing them personalized ads, the watchdog agency said.

To French regulators, Google’s business practices ran afoul of the European Union’s new General Data Protection Regulation. Implemented in 2018, the sweeping privacy rules, commonly referred to as GDPR, have set a global standard forcing Google and its tech peers to rethink their data-collection practices or risk sky-high fines.

The United States lacks a similar, overarching federal consumer privacy law. Privacy rights advocates see that as a deficiency, and it has elevated Europe as the world’s de facto privacy cop.

Despite Google’s recent changes to comply with the EU rules, the CNIL said, “the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations.”

In response, Google said it is “studying the decision to determine our next steps,” adding: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.”

French regulators began investigating Google on May 25 — the day GDPR went into effect — in response to concerns raised by two groups of privacy activists. They filed additional privacy complaints against Facebook Inc. and its subsidiaries, photo-sharing app Instagram and messenger service WhatsApp, in other EU countries.

“We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law,” said Max Schrems, the leader of noyb.eu, a nonprofit whose name stands for “none of your business.”

“It is important that the authorities make it clear that simply claiming to be compliant is not enough,” Schrems said.

The French fine could presage even tougher European scrutiny of Google — a unit of Alphabet Inc. — and other Silicon Valley companies. Europe already has demonstrated its willingness to punish U.S. tech companies for their missteps. In recent years, EU officials have penalized Apple Inc. for its tax practices, investigated Facebook for multiple privacy scandals and slapped Google with a record-breaking fine on allegations that it sought to undermine its corporate rivals.

U.S. consumer advocates on Monday strongly encouraged the U.S. government to follow Europe’s lead. “The big question now is why the Federal Trade Commission failed to act against the tech firms over these many years,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center. The FTC is Washington’s top privacy and security watchdog.

Under the EU’s data privacy law, tech giants including Google must give users a full, clear picture of the data they collect, along with simple, specific tools for users to consent to having their personal information harnessed. In both cases, France said that Google had erred. Full details about what Google does with users’ personal information are “excessively disseminated across several documents,” according to the CNIL. The lack of transparency is even more jarring to users, the French watchdog said, because of the sheer volume of services Google operates — including its maps service, YouTube and its app store.

Even though Google users can modify their privacy settings when they create an account, French regulators said it still isn’t enough — partly because the default setting is for Google to display personalized ads to users. Meanwhile, Google requires people who sign up to agree to its terms and conditions in full to create their accounts, a form of consent that the CNIL faulted because it requires users to either agree to everything or entirely forgo using the service.

Some consumer advocates said France had not gone far enough. La Quadrature du Net, one of the groups that filed the complaint against Google, lamented that the fine is “very low in comparison to Google’s annual turnover.”

While the group said it appreciated the initial move to fine Google, it felt that the French regulators had focused only on a small portion of the tech company’s alleged violations. The group said it hoped that the enforcement agency would respond soon to the rest of its complaint, and it noted that the maximum possible fine is more than $4.7 billion.

Estelle Massé, a data protection expert at the advocacy group Access Now, described the French ruling as “the first big signal” about Europe’s willingness to enforce GDPR. Other companies, she said, had engaged in practices similar to Google’s, raising the possibility that additional U.S. tech giants could face fines of their own.

“Google is not the only one doing this,” Massé said. “This is significant for Google as a company but also for other actors.”

Romm writes for the Washington Post.