Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Fined $57 Million By French Data Privacy Body For Failing To Comply With EU's GDPR Regulations (venturebeat.com)

Posted by BeauHD on from the drop-in-the-bucket dept.

schwit1 shares a report from VentureBeat: Google has been hit by a $57 million fine by French data privacy body CNIL (National Data Protection Commission) for failure to comply with the EU's General Data Protection Regulation (GDPR) regulations. The CNIL said that it was fining Google for "lack of transparency, inadequate information and lack of valid consent regarding the ads personalization," according to a press release issued by the organization. The news was first reported by the AFP. What the CNIL is effectively referencing here is dark pattern design, which attempts to encourage users into accepting terms by guiding their choices through the design and layout of the interface. This is something that Facebook has often done too, as it has sought to garner user consent for new features or T&Cs.

It's worth noting here that Google has faced considerable pressure from the EU on a number of fronts over the way it carries out business. Back in July, it was hit with a record $5 billion fine in an Android antitrust case, though it is currently appealing that. A few months back, Google overhauled its Android business model in Europe, electing to charge Android device makers a licensing fee to preinstall its apps in Europe. Google hasn't confirmed what its next steps will be, but it will likely appeal the decision as it has done with other fines. "People expect high standards of transparency and control from us," a Google spokesperson told VentureBeat. "We're deeply committed to meeting those expectations and the consent requirements of the GDPR. We're studying the decision to determine our next steps."

13 of 109 comments (clear)

  1. Speeding fine by Anonymous Coward · · Score: 4, Insightful

    Based on that, my next speeding fine should be about $0.27

    Corporate fines MUST be based on International turnover (they hide profits too well), or better year a minimum of 12 months in federal prison for all of the Management.

    1. Re: Speeding fine by Mr.+Dollar+Ton · · Score: 5, Insightful

      GDPR's sole reason to exist is to give me a legal option to force the likes of Facebook and Google to store and process my private information in a more responsible manner.

      It is not difficult to comply with. A Mom and Pop shop does't need "a full time DPO" if they have a visitor from the EU or ship a package occasionally.

      I looked at europa.eu, and I don't understand what you mean at all by "cleaning house domestically". The GDPR applies with the same strength everywhere in the EU, and to all companies that operate there. I've had personal data removed by EU companies after a GDPR request.

      Take a breather, nobody's buying your sad FUD.

    2. Re: Speeding fine by gravewax · · Score: 4, Informative

      NO THEY FUCKING DON'T need a DPO. The regulations are quite clear on that, only organisations that process large scale data processing and collecting. You don't have any "hours to react to a breach", you have to act in a timely and responsible manner. NO your country DOES NOT mandate recording information in breach of the GDPR, The GDPR excludes government requirements for data storage, what it mandates is that you must store and process data in a responsible manner.

    3. Re: Speeding fine by Cederic · · Score: 3, Insightful

      The EU hasn't set a rule on companies. The EU has agreed collectively that its member states must pass rules on company behaviour.

      The benefit of the EU is that complying with one country's rules means you're (broadly) automatically complying with all of the other countries' rules. You still have to obey the law in each country in which you operate.

      Is that so hard to comprehend?

    4. Re: Speeding fine by kaur · · Score: 3, Insightful

      GDPR is very simple to comply with:
      - know how your business uses personal data
      - be open about it - inform your customers
      - secure the use of personal data by access control & logging
      - check your contracts with third parties, and try not to share personal data unless necessary
      - educate your employees

      That's about it.

      The real effect of GDPR is implementing reasonable data management practices across the board.
      Say I want to save the hair colour of customers. Shall I create a new database? Or should I put it into an existing one? New database is easier, I don't need to discuss with anyone, I'l just spin up a new mongo instance, done. But I'll lack all security that the old database already has. Now GDPR forces me to implement security, which means it will be easier to put the data into the existing DB, even if this has management overhead for me - I need to get my change into DB team's backlog, etc. However, in the long run I am better off with all data being in one place, not split across multiple platforms.

      Or say I need to email / message / call my customers. GDPR incentivizes using service providers that have been already set up, with contracts and security and compliance in place. This is a price to pay, you won't be as flexible as you could, and you will pay extra for the compliance. However, this is a reasonable tradeoff.

      Mom & Pop should thus know what personal data they have, know how they handle it, and say it out in a public statement.
      Not much to ask.

  2. Re: If it's an EU rule then why... by Anonymous Coward · · Score: 3, Informative

    Vast amounts of new wealth has to be taxed

    A fine for violating a law with a 2-year grace period is not a tax, stupid.

  3. Offer them an alternative by Opportunist · · Score: 4, Interesting

    Like, say, they could pay the taxes for the revenue they make in France instead of squirreling it away with some tax evasion tricks.

    Then again, paying the fine is probably cheaper.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:Offer them an alternative by Mr.+Dollar+Ton · · Score: 4, Insightful

      Tax avoidance is something entirely different from non-compliance with the privacy law. Why would you want to mix the two?

  4. Re:If it's an EU rule then why... by Mr.+Dollar+Ton · · Score: 4, Informative

    If it's an EU rule then why... Is a specific country fining Google?

    Because the EU is a confederation, in which the EP and EC draft the rules, and then each member is tasked with enforcing them on their territory, which is an obligation they have accepted by ratifying the EU treaties.

    it is really simple and straightforward.

  5. Re: If it's an EU rule then why... by guruevi · · Score: 3, Informative

    You obviously have no idea. IP's are "personal information": https://www.alstonprivacy.com/... ; A website by definition serves anyone on the internet ; The rest of your post is likewise red herrings, GDPR is not concerned with whether or not an individual is an EU citizen, anyone located in an EU country is protected by GDPR and can apply for the protections under it. According to one law firm that tries to explain it: "it is likely that EU citizens residing in the US will be given the same protections as those living in an EU country". If you operate a hotel, how would you limit your offers, the goal is to sell yourself to as much visitors as possible, not serving people from the EU would be discrimination in many countries.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  6. Re: How France understands computer use by Maelwryth · · Score: 4, Insightful

    It's a fine, not a tax. If Google wishes to operate within the E.U. then they have to obey the laws of the E.U.

    --
    I reserve the write to mangle english.
  7. Re: If it's an EU rule then why... by Mr.+Dollar+Ton · · Score: 4, Informative

    You obviously have no idea. IP's are "personal information": https:

    Wrong, it is you who has no idea. And let me quote the relevant part of the decision for you:

    However, the ECJ did not state that in all cases, IP addresses in the hands of a website operator should be considered personal data. Instead, it required an evaluation of “whether the possibility to combine a dynamic IP address with the additional data held by the [ISP] constitutes a means likely reasonably to be used to identify the data subject.”

    GDPR is not concerned with whether or not an individual is an EU citizen, anyone located in an EU country is protected by GDPR and can apply for the protections under it.

    Wrong, only legal residents of the EU are protected by GDPR. Clearly stated in the law, which you have not read.

    According to one law firm

    Well, find a competent one, or just read the guides that EU has helpfully posted for more than 2 years now.

    If you operate a hotel, how would you limit your offers

    Well, you just advertise locally, or if you want orders from within the EU, you comply.

  8. Re: How France understands computer use by Freischutz · · Score: 4, Insightful

    Well that's easy then pull out of all EU countries and find out who begs who back first.

    Yeah, go back to California to sulk and leave a market of 500 million potential customers to your competitors that you have poured considerable efforts and money into making sure remain 3rd rate players with marginal market share so they won't threaten your monopoly. On what level does that seem like an intelligent plan to you? Google is about as likely to abandon the EU market as a pig is likely to voluntarily move out of a field of clover.