France’s data protection watchdog group (CNIL) fined Alphabet’s Google on Monday for breaching EU internet privacy rules.
The €50 million (USD $57 million) fine is the largest penalty thus imposed on a US tech company, thanks to an increase in sanction limits under the EU’s new General Data Protection Regulation (GDPR).
The GDPR, enacted in May, is a set of data protection rules that applies to all companies operating within the EU, aimed at giving internet users greater control over their personal data. It gives regulators the power to fine for up to 4 percent of a company’s global revenue for violations.
The CNIL stated that Google violated the GDPR by making it too difficult for users to obtain information on the company’s data consent policies, especially with regard to targeted advertising. The ruling came in response to complaints to non-government activist groups Quadrature du Net and Non Of Your Business (NOYB).
NOYB creator Max Schrems had accused the company of obtaining “forced consent” to its data practices through the use of pop-up boxes online which give the impression that consent is necessary in order to access Google’s services. The information provided by Google also does not make it sufficiently clear that the user’s consent is the basis upon which the use of targeted advertisement is legally justified.
The CNIL has said that the size of the fine reflects the seriousness of the failings, as well as Google’s dominance in the French marketplace through Android smartphones. Google has issued a statement pledging to meet the expectations of Europe and the GDPR.