France’s National Data Protection Commission (CNIL) slapped Google with a €50 million fine for violating transparency and consent provisions in the EU’s General Data Protection Regulation (GDPR), marking the agency’s first enforcement of the privacy law.

CNIL said it examined the configuration process for Android devices, during which users are required to create a Google account, and found the company failed to provide “easily accessible” information about how user data is collected, processed and stored.

It also determined Google did not gain appropriate permission for advert personalisation since consent collected when users agree to Google’s Terms of Service and Privacy Policy is “neither ‘specific’ nor ‘unambiguous'” as required by GDPR.

“The information on processing operations for the ads personalisation is diluted in several documents and does not enable the user to be aware of their extent…It is not possible to be aware of the plurality of services, websites and applications involved in these processing operations and therefore of the amount of data processed and combined,” it wrote.

CNIL said the large fine was justified by “the severity of the infringements”, which it noted are still ongoing.

Forced consent
The findings were the result of an investigation started in 2018 after advocacy groups La Quadrature du Net and None of Your Business (NYB) lodged complaints accusing Google of applying forced consent policies, which require users to acquiesce to set privacy terms in order to access services.

NYB filed a similar complaint against Facebook, though no ruling has been made in that case.

In a statement, Google said it is “deeply committed” to meeting user expectations around transparency and data control as well as the consent requirements of GDPR, and is “studying the decision to determine our next steps”.