GOOGL Alphabet Inc

By Sam Schechner 

A French regulator fined Alphabet Inc.'s Google 50 million euros ($56.8 million) -- the biggest penalty so far under a new European privacy law -- alleging the search-engine giant didn't go far enough getting valid user consent to gather data for targeted advertising.

The fine represents one of the highest profile regulatory actions so far stemming from GDPR, the European Union-wide "General Data Protection Regulation," which went into effect last year. The law requires companies to abide by strict data-protection and privacy rules protecting EU residents. A big part of the new rules is a requirement that companies explain to users how their data is being collected and used, and in many cases seek consent from users to collect it.

"People expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of the GDPR. We're studying the decision to determine our next steps," a Google spokesman said. Google can appeal the decision.

The fine is small for Google, but it is by far the biggest penalty issued so far by any of the handful of national regulators with authority to use GDPR to redress what they deem insufficient data or privacy protection. It also represents the starting shot of what many observers say could be a raft of regulatory actions as officials wield the new legal tool -- and potentially test its bounds.

Under the new law, EU regulators can fine companies up to 4% of their world-wide annual revenue, or 20 million euros, whichever is larger.

The French ruling issued Monday focuses on what is likely to be a significant legal question in coming years: What constitutes legal consent for a company to use an individual's personal data? Privacy activists say that many companies make it too complicated or unclear for consumers to access their services without agreeing to allow the use of one's data. They also contend that companies are violating the GDPR by saying too much user data is necessary to provide their services.

Monday's decision stems from two of several complaints filed by those activists against big tech firms in multiple EU countries when the GDPR went into effect last May. The complaints have alleged that users' consent isn't freely given as the law requires.

Big tech companies for their part say they have worked hard to design systems for users to give or withdraw consent without overwhelming them with too many choices. Google has in fact attracted criticism from some publishers, particularly in Germany, for being rigid in requiring explicit consent from users to whom publishers wish to show targeted ads.

The French ruling issued Monday focused on how easy to find and how complete was the consumer-consent information provided by Google.

France's National Data Protection Commission, or CNIL, said Google violated rules requiring information about data collection to be transparent, and users to be sufficiently informed. It said full information about things like data-processing purposes and data-storage time periods weren't all presented in the same place -- in some cases requiring up to five or six clicks. It said that some boxes giving consent were already checked, in what the regulator said was a violation of the law.

As a result, the CNIL said Google hadn't obtained appropriate user consent for personalized ads on Google's platforms.

Going forward, the French regulator won't be able act alone in ordering changes to how Google handles consent. Instead, the CNIL will have to work with other EU regulators, primarily Ireland's Data Protection Commissioner, which will as of Tuesday become Google's lead data-protection authority in the EU for most matters.

Ireland's DPC said Monday that Google until now hasn't met its criteria for having an establishment in Ireland, because its U.S. entity was responsible for processing EU users' data, rather than its Irish unit. That has meant that any EU privacy regulator -- including the CNIL -- has had standing to investigate and fine Google.

In December, Google said that it would, as of Jan. 22, make changes to its terms and conditions that will make clear that Ireland's DPC is its main privacy regulator in Europe for most matters.

Write to Sam Schechner at sam.schechner@wsj.com

(END) Dow Jones Newswires

January 21, 2019 14:18 ET (19:18 GMT)

Copyright (c) 2019 Dow Jones & Company, Inc.