After European policy-makers adopted a sweeping data-privacy law last year, the big question was how regulators would use their new-found authority against the most powerful technology companies.
In the first major example, the French data-protection authority announced Monday that it had fined Google €50-million (approximately $75.6-million) for not properly disclosing to users how data is collected across its services – including its search engine, Google Maps and YouTube – to present personalized advertisements.
The penalty is the largest to date under the European Union privacy law, known as the General Data Protection Regulation (GDPR), which took effect in May, and shows that regulators are following through on a pledge to use the rules to push back against internet companies whose businesses depend on collecting data. Facebook Inc. is also a subject of several investigations by data-protection authorities in Europe.
The ruling signals a new phase in enforcing the European law, which the region’s lawmakers and privacy groups have cheered as a check against the growing power of technology companies, while, for general consumers, it has led mostly to a frustrating increase in the number of consent boxes to click. The fine against Google is just the fourth penalty against any company since the law took effect.
Europe’s experience is being closely watched by policy-makers in the United States, who are considering a new federal privacy law. Tim Cook, Apple Inc.’s chief executive officer, last week called for new rules that closely follow Europe’s.
Europe has become the world’s most aggressive tech watchdog. In addition to the privacy rules, the region’s regulators have set the bar with stricter enforcement of antitrust laws against Google and other tech behemoths and taken a tougher stance against the industry’s tax policies. Google, a frequent target, was fined a record €4.3-billion ($6.5-billion) last year for abusing its power in the mobile phone market.
The ruling Monday takes aim at Google’s business model, which turns data on users into narrowly targeted ads.
A central element of Europe’s new regulations is that companies must clearly explain how data are collected and used. France’s data-protection regulator, known as CNIL, said Google did not go far enough to get consent from users before processing data. Instead, it said, people are largely unaware of the data they are agreeing to share, or how Google plans to use the information.
In a statement, the regulator said Google’s practices obscured how its services “can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations.”
Google’s size – it has about 20 different services – makes its data-collection practices “particularly massive and intrusive,” French authorities said.
Google defended its policies and said it was determining whether to appeal.
“People expect high standards of transparency and control from us,” a Google spokesman said. “We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”
The case against Google stemmed from a complaint filed by privacy groups that accused the search giant of not properly adjusting its data-collection practices to account for Europe’s stricter privacy rules.
“A lot of U.S. companies have dumped everything they do in a consent box and have people waive their rights,” said Max Schrems, an Austrian lawyer who founded NOYB, one of the groups that filed the complaint, and is a long-time antagonist of U.S. tech giants over data collection.
“No one who reads it understands,” he added. “I don’t know what they do with my data and I’m a lawyer.”
Raphaël Dana, a partner at the Paris law firm Frieh Associés who specializes in privacy law, said Silicon Valley companies should expect more penalties across Europe as a result of the data-protection law.
“This is going to change the perspective between the profits that internet companies are able to make from the data of users and the risk of being sanctioned with fines,” Mr. Dana said.
The fine announced Monday is far lower than the maximum penalty under the European privacy law, which is 4 per cent of global revenue. For Google, that would be more than US$4-billion.
“The fine is immaterial,” said Johnny Ryan, chief policy and industry relations officer at web browser Brave. “But CNIL’s decision is very significant because it means that Google must stop building advertising profiles about people until it has properly told them what it is doing, and received their consent.”
Mr. Ryan said the risk to Google was that people would be startled to see how their data was used.
“It is likely that many people will say ‘no’ to being profiled by Google when they learn the truth,” he said.