Google cops €50m GDPR fine

Google is the first tech giant to be penalised under Europe's strict General Data Protection Regulation (GDPR), receiving a €50 million (A$80 million) fine for privacy violations.

France's Commission nationale de l'informatique et des libertés (CNIL) data protection authority investigated complaints by privacy advocacy groups None Of Your Business (NOYB) and La Quadrature du Net laid in May last year.

The two groups accused Google of imposing "forced consent" on users for processing advertisement personalisation data, saying the company had no legal basis to do so.

CNIL's restricted committee agreed with NOYB and LQDN and found that Google had violated the GDPR as it did not obtain users' consent in a valid manner.

Users are not given easy access to important information such as what the data is used for and how long it's stored, CNIL said.

The information is not always clear and comprehensive either, as the purpose of processing user data across some twenty Google services is described in what CNIL said is "a too generic and vague manner". 

While users are able to configure some options to personalise ad display on Google services using tick boxes on a web page, CNIL noted that they are preselected. 

The GDPR states that collected consent has to be unambigious, with users clearly ticking non-preselected boxes, CNIL said.

Furthermore, Google violated the GDPR by asking users to agree to its terms of service and to the processing of their data before they could create an account. 

This meant that users gave their consent in full to Google for ad personalisation, speech recognition and other processing, whereas the GDPR requires that it has to be given separately for each distinct purpose.

The €50 million fine is the first one handed out by CNIL under the GDPR which provides for maximum financial penalties of up to four per cent of a company's annual turn over. In Google's case, this could have amounted to A$5.9 billion.

NOYB was set up by Austrian lawyer and activist Max Schrems who last year won a partial victory against Facebook for privacy violations.

The group recently filed complaints against streaming services Apple Music, Amazon Prime, Netflix, Google YouTube, Soundcloud, Spotify, DAZN and Filmmit, alleging they have failed respond adequately to users' requests for access to data held on them.

Should the maximum penalties be imposed on the above companies, NOYB estimates it could be as high as €18.8 billion (A$30 billion).