“We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law,” said Max Schrems, the leader of the nonprofit Noyb.eu (None of Your Business). “It is important that the authorities make it clear that simply claiming to be compliant is not enough.”
The French fine could presage even tougher scrutiny of Google and the rest of Silicon Valley in Europe, which already has demonstrated its willingness to punish U.S.-based tech companies for their missteps. In recent years, E.U. officials have penalized Apple for its tax practices, probed Facebook for multiple privacy scandals and slapped Google with a record-breaking fine on charges it sought to undermine its corporate rivals. U.S. consumer advocates on Monday strongly encouraged Washington to follow Europe’s lead.
“The big question now is why the Federal Trade Commission failed to act against the tech firms over these many years,” said Marc Rotenberg, the executive director of the Electronic Privacy Information Center. The FTC is Washington’s top privacy and security watchdog.
Under the E.U.’s data privacy law, tech giants including Google must give users a full, clear picture of the data they collect, along with simple, specific tools for users to consent to having their personal information harnessed. In both cases, France said that Google had erred.
Full details about what Google does with users’ personal information are “excessively disseminated across several documents,” according to the CNIL. The lack of transparency is even more jarring to users, the watchdog said, because of the sheer volume of services Google operates — including its Maps service, YouTube and its app store.
Even though Google users can modify their privacy settings when they create an account, French regulators said it still isn’t enough — partly because the default setting is for Google to display personalized ads to users. Meanwhile, Google requires people who sign up to agree to its terms and conditions in full to create their accounts, a form of consent that the CNIL faulted because it requires users to agree to everything — or not use the service at all.
Some consumer advocates still bristled that France had not gone far enough. La Quadrature du Net, one of the groups that filed the complaint against Google, lamented it is “very low in comparison to Google’s annual turnover.”
While the group said it appreciated the initial move to fine Google, they felt that the French regulators had focused only on a small portion of the tech company’s alleged violations. They said they hoped that the enforcement agency would respond soon to the rest of their complaint, and they noted that the maximum possible fine is more than $4.7 billion.
Estelle Massé, a data protection expert at the advocacy group Access Now, described the French ruling as “the first big signal” about Europe’s willingness to enforce GDPR. Other companies, she said, had engaged in practices similar to Google, raising the possibility that additional U.S. tech giants could face fines of their own.
“Google is not the only one doing this,” Massé said. “This is significant for Google as a company but also for other actors.”
© Washington Post