France’s data protection regulator, CNIL, has issued Google a €50 million fine (around $56.8 million USD) for failing to comply with its GDPR obligations. This is the biggest GDPR fine yet to be issued by a European regulator and the first time one of the tech giants has been found to fall foul of the tough new regulations that came into force in May last year.
CNIL said that the fine was issued because Google failed to provide enough information to users about its data consent policies and didn’t give them enough control over how their information is used. According to the regulator, these violations are yet to have been rectified by the search giant. Under GDPR, companies are required to gain the user’s “genuine consent” before collecting their information, which means making consent an explicitly opt-in process that’s easy for people to withdraw.
Although the €50 million fine seems large, it’s small compared to the maximum limits allowed by GDPR, which allows a company to be fined a maximum of four percent of its annual global turnover for more serious offenses. For Google, which made $33.74 billion in the last quarter alone, that could result in a fine in the billions of dollars.
This is not the first GDPR fine to have been issued, but it’s by far the biggest. In December, a Portuguese hospital was fined €400,000 after its staff used bogus accounts to access patient records, while a German social media and chat service was fined €20,000 in November for storing social media passwords in plain text. A local business in Austria was also fined €4,800 in October last year for having a security camera that was filming public space.
Responding to the fine, a Google spokesperson said that the company is “deeply committed” to meeting the “high standards of transparency and control” that people expect of it. They said that the company was studying CNIL’s decision in order to determine its next steps. In a later statement, Google announced that it planned to appeal the fine, noting that it was “concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond,” via AFP.
Separately, Google has also been accused of GDPR privacy violations by consumer groups across seven European countries over what they claim are “deceptive practices” around its location tracking.
Update January 21st, 11:47AM ET: Updated with Google’s statement.
Update January 23rd, 2:48PM ET: Added additional statement from Google regarding plans to appeal.