The Washington PostDemocracy Dies in Darkness

France fines Google nearly $57 million for first major violation of new European privacy regime

January 21, 2019 at 12:54 p.m. EST
In response to the fine, Google said it is “studying the decision to determine our next steps.” (Mike Segar/Reuters)

Google has been fined nearly $57 million by French regulators for violating Europe’s tough new data-privacy rules, marking the first major penalty brought against a U.S. technology giant since the regionwide regulations took effect last year.

France’s top data-privacy agency, known as the CNIL, said Monday that Google failed to fully disclose to users how their personal information is collected and what happens to it. Google also did not properly obtain users’ consent for the purpose of showing them personalized ads, the watchdog agency said.

To French regulators, Google’s business practices ran afoul of Europe’s new General Data Protection Regulation. Implemented in 2018, the sweeping privacy rules, commonly referred to as GDPR, have set a global standard that has forced Google and its tech peers in Silicon Valley to rethink their data-collection practices or risk sky-high fines. The United States lacks a similar, overarching federal consumer privacy law, a deficiency in the eyes of privacy rights advocates that has elevated Europe as the world’s de facto privacy cop.

Despite Google’s recent changes to comply with the E.U. rules, the CNIL said in a statement that “the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations.”

In response, Google said it is “studying the decision to determine our next steps,” adding: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.”

French regulators began investigating Google on May 25 — the day GDPR went into effect — in response to concerns raised by two groups of privacy activists. They filed additional privacy complaints against Facebook and its subsidiaries, photo-sharing app Instagram and messenger service WhatsApp, in other E.U. countries. 

“We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law,” said Max Schrems, the leader of the nonprofit Noyb.eu (None of Your Business). “It is important that the authorities make it clear that simply claiming to be compliant is not enough.”

The French fine could presage even tougher scrutiny of Google and the rest of Silicon Valley in Europe, which already has demonstrated its willingness to punish U.S.-based tech companies for their missteps. In recent years, E.U. officials have penalized Apple for its tax practices, probed Facebook for multiple privacy scandals and slapped Google with a record-breaking fine on charges it sought to undermine its corporate rivals. U.S. consumer advocates on Monday strongly encouraged Washington to follow Europe’s lead. 

“The big question now is why the Federal Trade Commission failed to act against the tech firms over these many years,” said Marc Rotenberg, the executive director of the Electronic Privacy Information Center. The FTC is Washington’s top privacy and security watchdog.

Under the E.U.’s data privacy law, tech giants including Google must give users a full, clear picture of the data they collect, along with simple, specific tools for users to consent to having their personal information harnessed. In both cases, France said that Google had erred. 

Full details about what Google does with users’ personal information are “excessively disseminated across several documents,” according to the CNIL. The lack of transparency is even more jarring to users, the watchdog said, because of the sheer volume of services Google operates — including its Maps service, YouTube and its app store. 

Even though Google users can modify their privacy settings when they create an account, French regulators said it still isn’t enough — partly because the default setting is for Google to display personalized ads to users. Meanwhile, Google requires people who sign up to agree to its terms and conditions in full to create their accounts, a form of consent that the CNIL faulted because it requires users to agree to everything — or not use the service at all.

Some consumer advocates still bristled that France had not gone far enough. La Quadrature du Net, one of the groups that filed the complaint against Google, lamented it is “very low in comparison to Google’s annual turnover.”

While the group said it appreciated the initial move to fine Google, they felt that the French regulators had focused only on a small portion of the tech company’s alleged violations. They said they hoped that the enforcement agency would respond soon to the rest of their complaint, and they noted that the maximum possible fine is more than $4.7 billion.

Estelle Massé, a data protection expert at the advocacy group Access Now, described the French ruling as “the first big signal” about Europe’s willingness to enforce GDPR. Other companies, she said, had engaged in practices similar to Google, raising the possibility that additional U.S. tech giants could face fines of their own. 

“Google is not the only one doing this,” Massé said. “This is significant for Google as a company but also for other actors.”

Quentin Ariès and Michael Birnbaum in Brussels and James McAuley in Paris contributed to this report. 

Today’s coverage from Post correspondents around the world

Like Washington Post World on Facebook and stay updated on foreign news