Business / Corporate

France fines Google €50 million for not making its data consent policies clear and accessible


France’s data watchdog issued a €50 million (¥6.2 billion) fine for U.S. search giant Google, the first such sanction under the EU’s strict General Data Protection Regulation.

Google was handed the record fine Monday for failing to provide transparent and easily accessible information on its data consent policies, the data protection regulator said.

Officials said Google made it too difficult for users to understand and manage preferences on how their personal information is used, in particular with regards to targeted advertising.

“People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR,” a Google spokesperson, referring to the General Data Protection Regulation, said in a statement. “We’re studying the decision to determine our next steps.”

The ruling follows complaints lodged by two advocacy groups last May, shortly after the landmark GDPR directive came into effect. One was filed on behalf of some 10,000 signatories by France’s Quadrature du Net group, while the other was by None Of Your Business, created by the Austrian privacy activist Max Schrems.

Schrems had accused Google of securing “forced consent” via its Android mobile operating software through the use of pop-up boxes, online or in its apps, which imply that its services will not be available unless the conditions of use are accepted.

“Also, the information provided is not sufficiently clear for the user to understand that the legal basis for targeted advertising is consent, and not Google’s legitimate business interests,” the French regulator said.

“We have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products,” Schrems said in a statement after the ruling. “It is important that the authorities make it clear that simply claiming to be compliant is not enough.”

The GDPR is widely considered the biggest shake-up to data privacy regulations since the advent of the web. Even companies that are not based in Europe must follow the tough new rules if they want their sites and services to be available to European users.

The French regulator found that despite changes implemented by Google since last year, it was still failing to respect the spirit of the new rules. It noted, for example, that specifics on how long a person’s data is kept and what it is used for are spread across several different web pages.

Modifying a user’s data preferences also requires clicking through a variety of pages such as “More Options,” and often the choices to accept Google’s terms are pre-checked by default.

“This type of procedure leads the user to give global consent … but the consent is not ‘specific’ as the GDPR requires,” the regulator said.

It said the record €50 million fine reflected the seriousness of the failings as well as Google’s dominant market position in France via Android.

“Each day thousands of French users create a Google account on their smartphones,” the regulator said. “As a result the company has a special responsibility when it comes to respecting their obligations in this domain.”

It is not the first time the regulator has taken Google to task over its policies.

In 2014 it fined the company €150,000 — the maximum possible at the time — for failing to comply with its privacy guidelines for personal data.

In 2016 it imposed a €100,000 penalty over noncompliance with the EU’s “right to be forgotten” rule, which allows people to request having references to them removed from search results.

Google has contested the decision, saying it should apply only to its European sites, such as, and not the global domain.

Earlier this month the advocate general for the European Court of Justice in Luxembourg sided with Google in the case, although a final ruling has not yet been announced.