France’s data protection authority (DPA) (CNIL) recently announced that it has fined Google $57 million for violations of the General Data Protection Regulation (GDPR). This is the first fine by a European DPA of an American company for alleged violations of the sweeping EU privacy law.
According to the CNIL, Google did not tell consumers about how their data could be collected and stored, and did not obtain adequate consent from consumers for targeted advertising to them.
CNIL found that requiring all users signing up for an account to agree to the terms and conditions before they access Google’s services was unfair. The CNIL also found that users’ personal information was “excessively disseminated” across Google’s services.
Many predicted that the biggest tech companies would be first in line for scrutiny and sanctions by DPAs, but this fine is a strong message that DPAs will be closely examining the transparency of companies in the collection and use of consumers’ data, as well as how the data is shared in combination with other products and services. It is clear that DPAs will question whether the unilateral requirement of consumers’ acceptance of terms of use is sufficient consent under GDPR.