Google has been fined a record €50m (£44m) by France’s data protection watchdog for lacking transparency and providing insufficient information regarding its use of data.

The fine levied by the Commission Nationale de l’Informatique et des Libertés (CNIL) represents the first time that the Alphabet-owned company has been charged under the terms laid out by the General Data Protection Regulation (GDPR).

According to the CNIL, it has been investigating Google since 1 June 2018, following complaints it received from None Of Your Business and La Quadrature du Net. Both groups alleged that Google, and other major internet companies, did not have a valid legal basis for the processing of personal data, particularly when it comes to ad personalisation.

CNIL found that essential information provided by Google, “such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalisation”, is not easily accessible for users because it has been spread across several webpages – sometimes requiring “up to five or six actions” before reaching the relevant screen.

This, along with the lack of clarity of some information, means that users are unable to fully understand the extent of the data processing carried out by Google, according to the CNIL.

Furthermore, the French watchdog found that even when consent is received by Google, this consent has not been collected in a ‘specific’ and ‘unambiguous’ way, as laid out under GDPR. Users aren’t asked to specifically consent to ad personalisation, instead being asked to consent to everything via simply agreeing to Google’s terms of service and privacy policy. As such, the consent is unspecific and ambiguous.  

“People expect high standards of transparency and control from us,” said Google in a statement. “We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”

CNIL provided justification for the fine, stating that the violations by Google were not a “one-off, time-limited, infringement” but a continuous breach of GDPR. In addition, “the economic model of the company is partly based on the ads personalisation. Therefore, it is of its utmost responsibility to comply with the obligations on the matter”.

Ron Moscona, a partner at the international law firm Dorsey & Whitney, said: “Targeted (or programmatic) advertising – which is one of Google’s main sources of revenue – is one of the main contact points where GDPR clashes directly with the way in which the internet industry works. Targeted advertising relies on collection of data about people from across the net. The GDPR requires express consent prior to use of personal information in targeted advertising. The question is how that consent should be obtained.  Google has taken numerous steps in its efforts to comply with the GDPR.  However, as the decision of CNIL, the French regulator, demonstrates, the industry is working through how consent may be obtained in compliance with the GDPR.

“The penalty imposed on Google by the French regulator can be seen as a warning shot at the digital industry at large,” said Moscona. “Regulators can impose much higher penalties if they choose to. The indications are that after many years of under-enforcement, regulators in the EU are prepared to use GDPR and flex their muscles. The digital industry will undoubtedly find a way to adjust to this new regulatory environment.”