France's CNIL data protection agency fines Google €50m - but accused of ignoring French newspapers doing the same thing
Former Facebook CISO suggests that CNIL maybe somewhat partial in its enforcement actions
French data protection agency CNIL has fined Google €50m claiming that the internet giant has broken General Data Protection Regulation (GDPR) rules on transparency.
The fine is the largest-ever GDPR penalty served to date, and comes after complaints were lodged by two privacy groups last May - right after GDPR came into force. One of the two complaints came from Austrian privacy activist Max Schrems.
The complaints alleged that Google failed to have "a valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purposes" when setting up an account from an Android device.
Schrems also accused Google of securing "forced consent" through the use of pop-up boxes on the web and its apps that imply that its services will not be available unless people accept its privacy-busting conditions of use.
Following its investigation, CNIL concluded that users were "not sufficiently informed" about how Google collected data to personalise advertising and had failed to obtain a valid legal basis to process user data.
"Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information," the regulator wrote.
CNIL also crticised Google's sign-up processes, which pushes users to sign-up for a Google account when setting up a mobile device - a move that's illegal under the GDPR's content bundling rules. In addition, the French data protection watchdog noted that the choice of advert personalisation is a pre-ticked box, which is also not allowed under GDPR.
"We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law," Schrems said in a statement.
"Following the introduction of GDPR, we have found that large corporations such as Google simply 'interpret the law differently' and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough."
However, former Facebook chief information security officer Alex Stamos, now a lecturer at Stamford University, suggested that while CNIL was coming down hard on Google, it appears to largely ignore European organisations doing exactly the same thing.
While CNIL has attempted GDPR enforcement action on two European marketing companies, it ignores French newspapers that have multiple trackers and non-compliant consent flows, claimed Stamos.
"For years, under the previous directive, the EU DPCs avoided the difficult balancing act between privacy, safety asks and supporting publishers. An easy out is solely using the law in splashy ways against hated US giants, which is enhanced by GDPR but not new," wrote Stamos in a Twitter thread.
If CNIL and other data protection agencies across Europe are genuinely impartial, he continued, they will take the same action, and levy the same kind of fines, against the likes of Le Monde Group and Axel Springer, he added.
At the moment, CNIL has only taken action against a handful of small French marketing agencies, Fidzup, Teemo, Singlespot and Vectaury and - issuing enforcement notices, rather than big fines.
Eyes in 'Google eyes' image created by, and copyright of, digital artist Adam Dorman.