France's data privacy watchdog has fined Google 50 million euros ($57 million) under the European Union's General Data Protection Regulation (GDPR) making it the most significant regulatory enforcement action since the law came into effect in May. The National Data Protection Commission (CNIL) says Google was fined due to "lack of transparency, inadequate information and lack of valid consent" in its ad personalization service. More specifically, the group has identified two violations:
— A violation of the obligations of transparency and information: "the general structure of the information chosen by the company does not enable to comply with the Regulation. Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information..."
— A violation of the obligation to have a legal basis for ads personalization processing: "The company GOOGLE states that it obtains the user's consent to process data for ads personalization purposes. However, the restricted committee considers that the consent is not validly obtained..."
Google says: "People expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of the GDPR. We're studying the decision to determine our next steps."