Google has become the first major company to be fined under new European data laws, marking a new power struggle between regulators and technology giants.
French privacy watchdogs announced on Monday they were fining the search engine €50m for the way it handles user data to create personalised ads.
The Paris-based data protection office, CNIL, said they were sanctioning Google over a “lack of transparency, inadequate information and lack of valid consent regarding the ads personalisation.”
While Google has taken some measures to comply with the General Data Protection Regulation (GDPR), CNIL said the search engine’s users could not understand how Google uses their data because its disclosures are “generic and vague” and spread across different documents.
Google, however, disagrees. On Wednesday, a spokesperson declared the company would challenge the decision. They said: “We’ve worked hard to create a GDPR consent process for personalised ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing.
“We’re also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond. For all these reasons, we've now decided to appeal.”
The fine is a defining moment for EU tech regulation. While the General Data Protection Regulation (GDPR) came into effect in May 2018, for the past eight months regulators have seemed uncertain of how to interpret the ambiguous new rules.
But that period of uncertainty appears to be over.
Compared to the £500,000 fine the UK issued to Facebook in the aftermath of the Cambridge Analytica scandal, the €50m French penalty marks a change in attitude among European policy makers who were expected to crack down on big tech after the industry was plagued by scandals throughout 2018.
The fine could set a benchmark for data protection authorities in other EU countries, sparking concern among tech companies, data brokers and credit reference agencies that rely on a business model of harvesting and processing data for money.
GDPR enables European countries to issue fines of up to €20m or 4% of annual turnover, whichever is higher.