PARIS (AFP) — France’s highest administrative authority on Friday dismissed a challenge by Google against a fine of $56 million for failing to provide adequate information on its data consent policies.
The fine was imposed in 2019 by France’s data watchdog, the CNIL.
It found at the time that Google made it too difficult for users to understand and manage preferences on how their personal information is used, in particular with regards to targeted advertising.
Its ruling applied principles enshrined in the EU’s strict new General Data Protection Regulation (GDPR). Google then appealed.
But on Friday, the Council of State, a French government body that is also the court of last resort for matters of administrative justice, confirmed the CNIL ruling.
It agreed the information that Google provided to users “does not meet the requirements of clarity and accessibility required by the GDPR” even when the nature and volume of data collected was “particularly intrusive.”
The council said the CNIL’s record fine was not disproportionate “given the particular seriousness of the breaches committed, their continuous nature and duration, the ceilings provided for by the GDPR (up to 4% of turnover) and Google’s financial situation.”
In a statement sent to AFP, the American giant said it would “now examine the changes we need to make.”
The matter was brought to the CNIL by two advocacy groups shortly after the landmark GDPR directive came into effect.
One was filed on behalf of some 10,000 signatories by France’s Quadrature du Net group, and the other by None Of Your Business, created by the Austrian privacy activist Max Schrems.
Schrems had accused Google of securing “forced consent” via its Android mobile operating software through the use of pop-up boxes online or on its apps which imply that its services will not be available unless the conditions of use are accepted.
The CNIL noted in its ruling that details on how long a person’s data can be kept and what it is used for were spread over several different web pages.
Modifying a user’s data preferences required clicking through a variety of pages such as “More Options,” and often the choices to accept Google’s terms were pre-checked by default.
It was not the first time the regulator had taken Google to task.
In 2014 it fined the company 150,000 euros ($205,000) — the maximum possible at the time — for failing to comply with privacy guidelines.
And in 2016 it imposed a 100,000 euro ($111,720) penalty over noncompliance with the EU’s “right to be forgotten” rule which allows people to request having references to them removed from search results.
Separately Friday, France’s highest administrative court overturned a regulatory ruling that prohibited websites from blocking users who do not accept tracking cookies.
France’s data privacy body CNIL indicated last year that websites could not use so-called cookie walls that blocked users who did not want to accept the cookies that help websites present targeted ads following the introduction of the EU’s new GDPR data protection law.
But the Conseil d’Etat said that CNIL was mistaken “in concluding there was such an interdiction from the requirement of free consent to the placement of trackers by users” under the GDPR.
Website owners had contested the CNIL’s move as cookies help them earn more money from advertisers, with advertising the main or only source of revenue for many services.
The Conseil d’Etat also said websites did not need to request specific permission for each usage of the data so long as users gave their overall consent.
© Agence France-Presse