Google has been fined €50m (£44m) by France’s privacy regulator for breaching the EU’s data protection rules.
The penalty marks the first time the French watchdog has used its powers under the General Data Protection Rules, known as GDPR.
France’s data authority CNIL said the amount of the fine was “justified by the severity of the infringements observed regarding the essential principles” of the rules.
The EU rules came into effect across the 28-nation bloc in May last year and gave national privacy regulators equal powers to fine companies as much as 4 percent of global annual sales for the most serious violations.
Google has come under CNIL’s scrutiny many times before, but under the old rules, fines couldn’t exceed the maximum of €150,000.
The fine was triggered by two complaints, one from noyb, a group created by Austrian privacy activist Max Schrems, which accused Google of forcing users to agree to new privacy policies.
CNIL said it had found that Google violated EU law in two ways – one for lack of transparency and information, the other for not having a legal basis to process user data for personalized advertisements. Its ruling can be appealed.
The regulator said: “Despite the measures implemented by Google (documentation and configuration tools), the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations.”
Mr Schrems said he was pleased with NCIL’s decision, and added: “It is important that the authorities make it clear that simply claiming to be compliant is not enough.”
In a statement, Google said: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”