Google Faces Maximum Privacy Fine, Public Shaming In France

With the NSA spying scandal and a brewing transatlantic privacy dispute in the background, Google was given the maximum fine, 150,000 euros (roughly $203,000), for violating French privacy rules with its “unified” privacy policy. The French privacy authority, the National Commission for Computing and Civil Liberties (CNIL), previously gave Google three months to change and “fix” its privacy […]

Chat with MarTechBot

privacy-security-lock-ss-1920

With the NSA spying scandal and a brewing transatlantic privacy dispute in the background, Google was given the maximum fine, 150,000 euros (roughly $203,000), for violating French privacy rules with its “unified” privacy policy.

The French privacy authority, the National Commission for Computing and Civil Liberties (CNIL), previously gave Google three months to change and “fix” its privacy policy or face the fine. Google maintained that it was in compliance with European privacy standards and declined to make any changes.

As expected the company was penalized. The financial penalty will have no impact whatsoever on Google. However CNIL also mandated that Google post a statement on its homepage in France that its privacy policy did not comply with French law. It appears that the statement only needs to be up for 48 hours.

In its statement announcing the fine CNIL spelled out what it considers to be wrong with Google’s privacy policy. Here’s the verbatim language:

  • The company does not sufficiently inform its users of the conditions in which their personal data are processed, nor of the purposes of this processing. They may therefore neither understand the purposes for which their data are collected, which are not specific as the law requires, nor the ambit of the data collected through the different services concerned. Consequently, they are not able to exercise their rights, in particular their right of access, objection or deletion.
  • The company does not comply with its obligation to obtain user consent prior to the storage of cookies on their terminals.
  • It fails to define retention periods applicable to the data which it processes.
  • Finally, it permits itself to combine all the data it collects about its users across all of its services without any legal basis.

Google issued a public statement saying that it was reviewing the decision to “determine next steps.”

The fine is the highest that can be imposed by CNIL and there’s no current way to levy European-wide fines, making it unlikely that Google will face anything more than modest financial penalties on a country by country basis. CNIL made a point of saying that its conclusions were “similar to those laid down by the Dutch and Spanish Data Protection Authorities in November and December 2013 on the basis of their respective national laws.”

Google has a roughly 92 percent search market share in France. It’s unclear whether the homepage posting and publicity related to the CNIL fines will have any impact on French public opinion of the company.

It’s not clear from the materials I’ve seen whether CNIL can do anything further if Google refuses to change its privacy disclosures or policy in the wake of the fine. If “this is it,” Google might simply pay the fine and continue on its present course.

These fines are unlikely to be the end of the EU vs. US tech companies privacy story however.

There is a significant cultural and philosophical divide between the US and EU when it comes to digital and personal privacy. As the Wall Street Journal reports, privacy may be at the center of a coming US-EU trade dispute, as US legislators try and impose looser privacy rules on trading partners while Europeans try to force US companies to comply with their stricter view of personal data protection.

The effort to sanction US companies and gain privacy compliance in Europe is also being fueled now by European indignation about US government spying via US tech companies.

Postscript: Google’s global privacy counsel Peter Fleischer has said the current European effort to craft an EU-wide data protection standard is “dead.”  On his personal blog he wrote:

Europe’s much-ballyhooed, and much-flawed, proposal to re-write its privacy laws for the next twenty years collapsed.  The old draft is dead, and something else will eventually be resurrected in its place.  We’ll have to wait until 2014, or perhaps even later, to learn what will replace it.  Whatever comes next will be the most important privacy legislation in the world, setting the global standards.  I’m hopeful that this pause will give lawmakers time to write a better, more modern and more balanced law.  


Contributing authors are invited to create content for MarTech and are chosen for their expertise and contribution to the martech community. Our contributors work under the oversight of the editorial staff and contributions are checked for quality and relevance to our readers. The opinions they express are their own.


About the author

Greg Sterling
Contributor
Greg Sterling is a Contributing Editor to Search Engine Land, a member of the programming team for SMX events and the VP, Market Insights at Uberall.

Fuel up with free marketing insights.