France’s record €50m fine on Google just the beginning, campaigners say

French regulators handed a record fine of 50 million euros to web giant Google on Monday, arguing the company does not do enough to inform users what it does with the personal information they provide to the company’s services.

France’s independent National Commission on Informatics and Liberty (CNIL), whose mission is to ensure data privacy law is applied in regards to personal information, said Google lacked transparency and clarity in the way it informs users and failed to properly obtain consent for personalised ads.

It was the first action on the part of the national regulator of any European Union (EU) member state for violations to the bloc’s General Data Protection Regulation (GDPR), which came into effect last 25 May.

“People expect high standards of transparency and control from us,” Google said in a statement. “We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”

More decisions to come

The fine came after two data protection groups, La Quadrature du Net in France and None Of Your Business (Noyb) in Austria, filed complaints aiming at some of the largest and most recognisable names of the web the day the GDPR came into effect.

“There are still three complaints pending on the same grounds of obtaining users’ content against Instagram, WhatsApp and Facebook,” said Ioannis Kouvakas, a data protection lawyer with Noyb.

“They are being decided or are under investigation before different supervisory authorities across the EU, and we are expecting a similar strict approach by the rest of the data protection authorities towards upholding users’ rights.”

The 50 million euro fine for violations to data protection rules is the largest ever imposed on any of the GAFA – web giants Google, Apple, Facebook and Amazon –  over data.

La Quadrature du Net expressed regret that CNIL did not address all aspects of its own complaint and did not impose the maximum 4-percent-of-revenue fine allowed by the GDPR, which in the case of Google, whose revenues were upwards of 110 billion US dollars last year, would have been 4 billion euros.

But one of the most significant aspects of the GDPR is that its rules apply in all EU member states, meaning the fines could begin snowballing if regulators in different countries take similar actions.

Noyb said the CNIL decision fine also sets the tone for other web giants active in Europe.

“This can also serve as an illustrative example for the rest of the companies that wish to evade GDPR in a way that is convenient for them, and make sure that they have to comply with their data protection obligations.”