Google has been hit with a record fine by French data regulator CNIL, of 50m euros ($56.7m) for breaching GDPR after finding that Google had a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”.
The regulator also said that the users were not sufficiently informed about how Google users personal data for advertising. The fine relates to two complaints filed by privacy advocacy groups, which were filed as soon as GDPR came into place in May last year. The groups also claim that Google does not not have a valid legal basis to process user data for ad personalisation, as mandated by the GDPR. Google also selects ad personalisation by default for new users, instead of offering an ‘opt in’, which is also against GDPR rules.
Under the GDPR, complaints are transferred to local data protection regulators. While Google’s European HQ is in Dublin, the CNIL concluded that the team in Dublin doesn’t have the final say when it comes to data processing for new Android users.
In a statement, Google said: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”
The large fine reflect the view thatthe violations were continuous, and still occurring. Google’s violations were aggravated by the fact that “the economic model of the company is partly based on ads personalisation”, and that it is therefore “its utmost responsibility to comply” with GDPR.
Dr Lukasz Olejnik, an independent privacy researcher and adviser, said the ruling was the world’s largest data protection fine. “This is a milestone in privacy enforcement, and the history of privacy. The whole European Union should welcome the fine. It loudly announced the advent of GDPR decade,” he said.
Facebook is also faced with huge fines. Facebook has been fined €10m (£8.9m) by Italian authorities for misleading users over its data practices. The two fines issued by Italy’s competition watchdog are some of the largest levied against the social media company for data misuse, dwarfing the £500,000 fine levied by the British Information Commissioner’s Office in September for the Cambridge Analytica scandal– the maximum that body was able to issue. The Italian regulator found that Facebook had breached articles 21, 22, 24 and 25 of the country’s consumer code by: Misleading users in the sign-up process about the extent to which the data they provide would be used for commercial purposes.
Emphasising only the free nature of the service, without informing users of the “profitable ends that underlie the provision of the social network”, and so encouraging them to make a decision of a commercial nature that they would not have taken if they were in full possession of the facts. Forcing an “aggressive practice” on registered users by transmitting their data from Facebook to third parties, and vice versa, for commercial purposes.
The company was specifically criticised for the default setting of the Facebook Platform services, which in the words of the regulator, “prepares the transmission of user data to individual websites/apps without express consent” from users. Users can disable the platform, but the regulator found that its opt-out nature did not provide a fully free choice. As an additional penalty, the authority has directed Facebook to publish an apology to users on its website and on its app.
In a statement, a Facebook spokesperson said: “We are reviewing the Authority’s decision and hope to work with them to resolve their concerns. This year we made our terms and policies clearer to help people understand how we use data and how our business works. We also made our privacy settings easier to find and use, and we’re continuing to improve them. You own and control your personal information on Facebook.”
On Friday (14 December), Facebook disclosed that a bug gave hundreds of apps unauthorised access to photos that users had uploaded but hadn’t made public. The bug is understood to have ran for 12 days between 13 and 25 September. To compound matter it failed to promptly disclose the issue within 72 hours.
The bug is the latest in a series of privacy scandals. Facebook disclosed a security breach on Sept. 28, saying 50 million accounts had their login access tokens stolen. That figure was reduced to 30 million , and Facebook lconfirmed that 29 million of the impacted users had their names and contact information exposed. Among those users, 14 million of also had other personal information, such as their gender, relationship status and their recent place check-ins, stolen by the attackers. Facebook told the Irish Data Protection Commission that 10 percent of the affected accounts were European, according to Graham Doyle, the commission’s head of communications. the accounts were hacked in an access token harvesting attack. The security incident, revealed last week, was caused by a vulnerability in Facebook’s code which permitted attackers to steal access tokens. Access tokens are used to keep Facebook users logged in when they switch over to a public profile view via the “View As” feature.
A KPMG global study in 2018 revealed that 77% of consumer are totally against their data being sold.
A CNIL ruling in October last yearagaisnt the company Vectuary has a lot of significance. Data privacy experts consider the regulator was stating that consent to processing personal data cannot be gained through a framework arrangement which bundles a number of uses behind a single “I agree” button that, when clicked, passes consent to partners via a contractual relationship. That CNIL decision implies that bundling consent to partner processing in a contract is not, sufficient, or valid consent under the European Union’s General Data Protection Regulation (GDPR) framework.
The firm was harvesting personal data (including people’s location and device IDs) on its partners’ mobile users via an SDK embedded in their apps, and receiving bids for this data via another standard piece of the programmatic advertising pipe — ad exchanges and supply side platforms — which also get passed personal data so those can broadcast it widely via the online ad world’s real-time bidding (RTB) system to solicit potential advertisers’ bids for the attention of the individual app user… The wider the personal data gets spread, the more potential ad bids. CNIL discovered the company was holding the personal data of a staggering 67.6 million people when it conducted an on-site inspection of the company in April 2018 and yet Vectuary’s website claims it doesn’t store 70% of its data.
GDPR, Article 5, paragraph 1, point f, requires that personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss.” If you can not protect data in this way, then the GDPR says you can not process the data. So the complint ius not just about the data or the consent but also about the processing. of the data sharing but rather that it is not adequately secure or controlled.
