The French authorities allege that the technological company is undertaking acts with serious lack of transparency
Network security and ethical hacking
specialists from the International Institute of Cyber Security report that, in
accordance with the General
Data Protection Regulation (GDPR), the French National Commission of Informatics and Freedoms (CNIL) imposed a €50M fine to Google for “violations of transparency and information
management, as the company did not request users’ consent to process their data
for advertising personalization purposes”.
This measure was taken in consequence of the
lawsuits presented by the non-governmental organization None Of Your Business (NOYB), dedicated to the defense of the privacy
of technology users; the NGO argued that “Google does not have a solid legal
basis for processing the data of its users for commercial purposes”.
This is one of the first hard tests the GDPR is
facing, which came into force last May, commented experts in network
security, as NOYB presented four complaints against Google, Facebook,
WhatsApp and Instagram the same day, all them arguing “users’ forced consent”.
Once the complaints were received, the CNIL
began an investigation to see if Google failed to comply with any of the
requirements established in the GDPR and the Data Protection Act of France. At
the end of the investigation, the CNIL concluded that Google failed to comply
with two requirements established in the GDPR, since it does not guarantee easy
access to basic information about its services, besides that it does not obtain
the user’s consent to access their personal data in a legitimate way.
Experts in network security and privacy
commented that, although Google publishes all the information required by the
GDPR, the company makes it difficult for users to find it, as well as the
information is ambiguous and incomplete, says the CNIL.
“Elementary information, such as data
processing purposes or personal data storage time lapses is intentionally
difficult to gather. For example, if a user wants to know how the company processes
and stores their personal data, it must invest a considerable amount of time to
find all the information they request from Google,” mentions CNIL’s research.
In addition, the report mentions that although
Google claims to request the express consent of its users before processing
their data for commercial purposes, it was found that this does not happen this
way, as users are not sufficiently informed during this process, in addition to
the information that Google shows can be ambiguous or not specific.
Google is not the
first company failing to comply with the GDPR
NOYB also filed a complaint against YouTube,
another online service owned by Google, for violating one of the main provisions
of the GDPR (rights of access), which could generate a fine of up to €4 Billion, comment NOYB.
In November 2018, a few months after the entry
into force of the GDPR, Google was allegedly incurring misleading practices to
track the location of its users.
