Google Fined $57 Million in Biggest Penalty Yet Under New European Law -- Update
January 21 2019 - 2:20PM
Dow Jones News
By Sam Schechner
A French regulator fined Alphabet Inc.'s Google 50 million euros
($56.8 million) -- the biggest penalty so far under a new European
privacy law -- alleging the search-engine giant didn't go far
enough getting valid user consent to gather data for targeted
advertising.
The fine represents one of the highest profile regulatory
actions so far stemming from GDPR, the European Union-wide "General
Data Protection Regulation," which went into effect last year. The
law requires companies to abide by strict data-protection and
privacy rules protecting EU residents. A big part of the new rules
is a requirement that companies explain to users how their data is
being collected and used, and in many cases seek consent from users
to collect it.
"People expect high standards of transparency and control from
us. We're deeply committed to meeting those expectations and the
consent requirements of the GDPR. We're studying the decision to
determine our next steps," a Google spokesman said. Google can
appeal the decision.
The fine is small for Google, but it is by far the biggest
penalty issued so far by any of the handful of national regulators
with authority to use GDPR to redress what they deem insufficient
data or privacy protection. It also represents the starting shot of
what many observers say could be a raft of regulatory actions as
officials wield the new legal tool -- and potentially test its
bounds.
Under the new law, EU regulators can fine companies up to 4% of
their world-wide annual revenue, or 20 million euros, whichever is
larger.
The French ruling issued Monday focuses on what is likely to be
a significant legal question in coming years: What constitutes
legal consent for a company to use an individual's personal data?
Privacy activists say that many companies make it too complicated
or unclear for consumers to access their services without agreeing
to allow the use of one's data. They also contend that companies
are violating the GDPR when they say that some data is necessary to
provide their services.
Monday's decision stems from two of several complaints filed by
those activists against big tech firms in multiple EU countries
when the GDPR went into effect last May. The complaints have
alleged that users' consent isn't freely given as the law
requires.
Big tech companies for their part say they have worked hard to
design systems for users to give or withdraw consent without
overwhelming them with too many choices. Google has in fact
attracted criticism from some publishers, particularly in Germany,
for being rigid in requiring explicit consent from users to whom
publishers wish to show targeted ads.
The French ruling issued Monday focused on how easy to find and
how complete was the consumer-consent information provided by
Google.
France's National Data Protection Commission, or CNIL, said
Google violated rules requiring information about data collection
to be transparent, and users to be sufficiently informed. It said
full information about things like data-processing purposes and
data-storage time periods weren't all presented in the same place
-- in some cases requiring up to five or six clicks. It said that
some boxes giving consent were already checked, in what the
regulator said was a violation of the law.
As a result, the CNIL said Google hadn't obtained appropriate
user consent for personalized ads on Google's platforms.
Going forward, the French regulator won't be able act alone in
ordering changes to how Google handles consent. Instead, the CNIL
will have to work with other EU regulators, primarily Ireland's
Data Protection Commissioner, which will as of Tuesday become
Google's lead data-protection authority in the EU for most
matters.
Ireland's DPC said Monday that Google until now hasn't met its
criteria for having an establishment in Ireland, because its U.S.
entity was responsible for processing EU users' data, rather than
its Irish unit. That has meant that any EU privacy regulator --
including the CNIL -- has had standing to investigate and fine
Google.
In December, Google said that it would, as of Jan. 22, make
changes to its terms and conditions that will make clear that
Ireland's DPC is its main privacy regulator in Europe for most
matters.
Write to Sam Schechner at sam.schechner@wsj.com
(END) Dow Jones Newswires
January 21, 2019 14:05 ET (19:05 GMT)
Copyright (c) 2019 Dow Jones & Company, Inc.
Alphabet (NASDAQ:GOOGL)
Historical Stock Chart
From Mar 2024 to Apr 2024
Alphabet (NASDAQ:GOOGL)
Historical Stock Chart
From Apr 2023 to Apr 2024