France’s data protection watchdog CNIL has fined Google €50 million (£44 million) for breaching Europe’s General Data Protection Regulation (GDPR) – just one day before Google moves its service provision to Dublin from the US and makes Google Ireland Limited the “data controller” legally responsible for EEA and Swiss users’ information.
The watchdog found that Google is not GDPR-compliant for two reasons: 1) data processing for new Android users appears to happen outside Europe without consent and 2) data processing permissions intended to help personalise ads are not transparent enough for users. (The original complaint focussed on the notion of “forced consent“).
Google also by default ticks a box that says “I agree to the processing of my information as described above and further explained in the Privacy Policy” when a user creates a new account on their smartphone, without clearly specifying that this is for personalised ads not just on Android but across Youtube et al.
Broad consent such as this is banned under GDPR.