Google was fined over a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”. The CNIL also said that it had not “sufficiently informed” users about how user data was being used to personalise advertising. In a statement, Google said it was considering whether or not to appeal the ruling.
The fine comes after the GDPR was implemented on 25 May 2018. Almost immediately after the legislation took effect, two French advocacy groups filed complaints that Google’s pop up forms relied upon ‘forced consent’ by implying services would not be available without signing up. Google had made changes to its operations in the wake of the GDPR implementation, however CNIL did not find these measures, particularly the pre-checking of select tracking options, to its satisfaction.
This is the first major fine under the new GDPR, and it is also interesting that it was imposed on Google, which has its European HQ in Ireland, by the French. Previously, the Irish Data Protection Regulator would have been expected to punish multinationals which have their HQs in Ireland (these include Facebook, Amazon and Apple). The Irish interpretation of the EU’s Data Protection rules has always been considered to be very liberal in comparision with other EU countries (which is why most of the large tech giants registered their EU subsidiaries there). Now, apparently, they will have to face the strictest regulations in the EU.