CNIL, the French Data Protection Watchdog, has issued its first GDPR fine of $ 57 million (50 million euros). The Authority claims that Google has not complied with the Directorate-General for Data Protection (GDPR) when new Android users create a new phone and follow the Android's onboarding process.
Two nonprofits called & # 39; None of your business & # 39; (noyb) and La Quadrature du Net had originally filed a complaint back in May 2018 – noyb originally filed a complaint against Google and Facebook, so let's see what's happening with Facebook next. During the GDPR, complaints are transferred to local data protection guard dogs.
While Google's European headquarters is in Dublin, CNIL first concluded that the Dublin team did not have the last word on computing for new Android users ̵
The CNIL then concluded that Google did not comply with the GDPR in terms of transparency and consent.
Let's start with the alleged lack of transparency. "Important information, such as data processing purposes, data storage periods, or categories of personal information used for ad advertising, is widely disseminated across multiple documents with buttons and links that it should click to access additional information," the controller writes.
If a user e.g. Want to know how their data is processed to customize ads, it takes 5 or 6 taps. CNIL also says it is often too difficult to understand how your data is being used – Google's wording is broad and unclear for that purpose.
Second, Google's consent flow does not meet the GDPR according to the CNIL. By default, Google really pushes you to sign in or sign up for a Google Account. The company tells you that your experience will get worse if you don't have a Google Account. According to the CNIL, Google must separate the action of creating an account from the action of creating a device – consent bundling is illegal under the GDPR.
If you choose to sign up for an account when the company asks you to cross or deselect some settings, Google does not explain what that means. For example, when Google asks you if you want personalized ads, the company doesn't tell you about many different services, from YouTube to Google Maps and Google Photos – it's not just about your Android phone.  In addition, Google does not ask for specific and unambiguous consent when creating an account – the ability to opt out of personal ads is hidden behind a "More Options" link. This option is cross-checked by default (it shouldn't).
CNIL also reminds Google that nothing has changed since its investigation in September 2018.
Chairman of the noyb Max Schrems has sent us the following statement:
"We are very pleased that a European Data Protection Authority For the first time, GDPR's ability to punish clear law violations, after the introduction of GDPR, we have found that large companies like Google simply interpret the law differently and often only superficially customize their products. It is important that the authorities make it clear that just claiming to be a complaint is not enough, and we are also pleased that our work on protecting fundamental rights is fruitful, and I would also like to thank our supporters who do our work possible. "
Update: A Google spokesperson sent us the following statement:
" People expect high standards of transparency and control from us. We are deeply committed to meet these expectations and requirements for GDPR consent. We are studying the decision to determine our next step. "