French regulators fined Google almost $57 million Monday for running afoul of Europe’s new data privacy laws that went into effect last year.
Google became the first U.S. tech company to be hit for violating the regulations.
France’s National Commission on Informatics and Liberty, known by the acronym CNIL, said Google did not comply with the new rules, such as getting the consent of users before exposing them to personalized ads, and explaining how their personal information will be used on the site and how it is collected.
“Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information,” the CNIL statement said.
“The relevant information is accessible after several steps only, implying sometimes up to five or six actions. For instance, this is the case when a user wants to have complete information on his or her data collected for the personalization purposes or for the geo-tracking service,” the agency said.
The agency also complained that privacy information Google gave to users was not always clear nor comprehensive.
“The restricted committee observes in particular that the purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes,” the CNIL said.
“Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company,” the agency said.
Google said that it was reviewing the CNIL’s decision to “determine our next steps.”
“People expect high standards of transparency and control from us,” Google said in a statement to The Washington Post. “We’re deeply committed to meeting those expectations and the consent requirements of the [General Data Protection Regulation].”
Max Schrems, the leader of the European privacy non-profit noyb, which stands for “none of your business,” cheered the CNIL’s ruling.
“We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law,” Schrems said in a statement. “It is important that the authorities make it clear that simply claiming to be compliant is not enough. We are also pleased that our work to protect fundamental rights is bearing fruit.”