Monday 21 January 2019 4:26 pm

Google hit with €50m fine by French data regulator in GDPR battle

Google has been served with a €50m (£44.1m) fine by the French data regulator for breaching the EU's rules on consumer data protection.

CNIL's restricted committee laid down the judgement this afternoon, finding Google responsible for a "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation" under General Data Protection Regulation (GDPR) guidelines.

As France's first ever fine under the new legislation, CNIL said the penalty was "justified by the severity of the infringements observed regarding the essential principles of GDPR".

Though today's fine is the largest under GDPR to date, it is relatively small in comparison to the legislation's maximum penalty limit of up to four per cent of a firm's annual global turnover. In Google's case, the fine could have been more than $4.3bn (£3.3bn) based on revenues of $109.7bn in its last full financial year.

A Google spokesperson said the firm was "studying the decision" to determine its next steps.

The regulator said Google had failed to provide users with enough information about its data consent policies and sufficient control over how their data is used. It also said Google didn't have a valid legal basis on which to collect data for personalising its ads.

"Despite the measures implemented by Google… the infringements observed deprive users of essential guarantees regarding processing operations that can reveal important parts of their private life," the regulator said.

"Moreover, the violations are continuous breaches of [GDPR] as they are still observed to date. It is not a one-off, time-limited infringement."

The ruling stemmed from two complaints filed on 25 May last year, the day GDPR first took effect, by data privacy groups None Of Your Business (Noyb) and La Quadrature Du Net (LQDN).

Noyb also filed complaints against Apple, Amazon, Google, Netflix and Spotify on Friday, claiming the tech giants had violated users' right to access a copy of all raw data a company holds about them.