Google fined €50 million under new EU data protection law

France’s data privacy protection agency has fined Google €50 million ($56.8 million) for failing to comply with the European Union’s new European Union data protection regulations.

Agence France-Press reports the Commission Nationale de l’Informatique et des Libertés (CNIL) slapped Google with the record penalty for violating the General Data Protection Regulation (GDPR) rules. The watchdog agency cited Google’s “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.”

CNIL said such a large fine is justified because Google’s violations have been continuous and have not stopped, and that they are exacerbated by the fact that “the economic model of the company is partly based on ads personalization.”

Approved by EU authorities in 2016, GDPR went into effect in May 2018 with the stated goal of “giving EU citizens more control over their own personal data, improving their security both online and offline.”

GDPR affects not only companies located within the EU but also firms from outside the 28-nation bloc if they offer goods or services to EU residents or monitor their behavior. It strengthened conditions of consent so that companies can no longer use vague or confusing language in efforts to persuade people to give up their data. GDPR also prohibits companies from bundling consent for disparate goods or services.

In a statement released following the judgment, Google said it was committed to complying with GDPR rules.

“People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR,” a spokesperson from the Mountain View, California-based company said. “We’re studying the decision to determine our next steps.”

Companies have scrambled to adjust their operations in order to comply with GDPR. Last month, Google announced it would shift control of European data from the US to Ireland with an eye toward GDPR compliance. The change is set to occur on January 22.

“We’re making the data controller change to facilitate engagement with EU data protection authorities via the GDPR’s ‘One Stop Shop’ mechanism, which was created to ensure consistency of regulatory decisions for companies and EU citizens,” explained Anne Rooney, public policy manager for Google Ireland. “It’s important to note these changes do not in any way alter how our products work or how we collect or process user data within our services.”

However, GDPR compliance has confounded other companies. After the new regulations were announced, more than 1,000 online US news sites owned by companies including Tronc (Los Angeles Times, Chicago Tribune), Lee Enterprises (St. Louis Post-Dispatch) and GateHouse Media (Austin-American Statesman, Columbus Dispatch, Florida Times-Union) decided to block user access in Europe rather than run afoul of the new rules.

This isn’t the first time that CNIL has fined Google. In 2014, the tech giant was fined €150,000 ($170,000), which was the maximum amount allowed at the time, for violating privacy rules for personal data. Two years later, Google was fined €100,000 ($113,000) for non-compliance with the EU’s “right to be forgotten” rule.

The record fine against Google comes a month after Italy’s Competition Authority slapped Facebook with two fines totaling €10 million ($11.3 million) for illegal data use. One fine was for persuading people to register for accounts on the social media platform without informing them that their data would be collected and used for commercial purposes, while the other penalty was for illegally passing user data on to third parties.