Netease TechCrunch reported on January 22 that CNIL, the French data protection regulator, recently issued a $57 million (about 50 million euros) fine to Google under the European General Data Protection Ordinance (GDP R). The regulator said Google did not comply with GDP R when new Android users set up new phones and operated according to the Android systems guidance process. This is also the biggest penalty for a company since the implementation of GDP R.
As early as May 2018, two non-profit organizations, NoneOf Your Business (NOYB) and LaQuadratureduNet, had filed complaints against Google and Facebook. According to GDP R, complaints are transferred to local data protection regulators. Although Googles European headquarters are in Dublin, CNIL first concluded that the Dublin team had no final say in processing data for new Android users, and that the decision was likely to be at Mountain View headquarters.
CNIL then concluded that Google did not comply with the GDP R rules in terms of transparency and user consent.
Regarding the lack of transparency, the regulator wrote in the report: Some important information, such as data processing purposes, data storage cycles or personal data categories for personalized advertising, is over-dispersed in multiple documents, and users need to click buttons and links to obtain supplementary information. For example, if users want to know how their data is processed for personalized advertising, they need to click five or six times. CNIL also said that it is often difficult for users to understand how their data is used and that Googles language is deliberately broad and obscure.
Secondly, CNIL argues that the process of obtaining user approval before Google uses data does not meet the GDP R requirement. By default, Google will prompt users to register for Google accounts. The company told users that their experience would be terrible without a Google account. CNIL claims that Google should separate the creation of accounts from the setting up of devices, which is illegal.
If a user chooses to register for a Google account, Google will not explain what it means when the company asks the user to check or cancel certain settings. For example, when Google asks if you need personalized advertising, the company doesnt tell you that its actually talking about many different services, from YouTube to Google Maps to Google Photos, not just your Android phone.
In addition, Google wont get your explicit consent when you create your account, because the option to opt out of personalized advertising is hidden behind the More Options link. By default, this option is pre-checked (although it should not have been).
Max Schrems, chairman of NOYB, issued a statement saying: We are excited that for the first time, European data protection regulators have used GDP R to punish clear violations of the law. With the introduction of GDP R, we find that large companies like Google simply interpret the law in different ways, often just make superficial adjustments to their products. More importantly, regulators must make it clear that complaints alone are not enough. We are gratified that our efforts to protect peoples fundamental rights are yielding results.
A spokesman for Google said in a statement: People have high expectations for us to improve transparency and control. We are committed to meeting these expectations and the agreed requirements of GDP R. We are studying CNILs decision to decide what to do next. (small)
Source: Responsible Editor of Netease Science and Technology Report: Wang Fengzhi_NT2541