French data protection regulator Commission Nationale de l'Informatique et des Libertés (CNIL) fined Google 50 million euros for breaking General Data Protection Regulation, the EU's data protection rules that took effect on May, 25 2018. CNIL imposed the penalty “for lack of transparency, inadequate information and lack of valid consent regarding the ads personalisation.” According to CNIL, the information Google provides is not accessible to users and is usually disseminated across several files, which means “relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions.” It also said the descriptions are often “too generic and vague,” thus making them incomprehensible.
Moreover, CNIL claimed Google could not obtain valid consent since user consent is neither “sufficiently informed,” nor is it “specific” or “unambiguous.”
CNIL explained the record fine was given due to the severity of the infringements, adding: “[T]he violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.”
Google issued a statement, saying, “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.”