Google has been hit with a $204,200 fine by France's National Commission for Computing and Civil Liberties (CNIL) in connection with changes Google made to its data policies in 2012 that continue to be in conflict with the French Data Protection Act.
The fine, which is the highest financial penalty assessed so far by the French data protection agency, was announced Jan. 8 by the CNIL.
The CNIL's decision relates to Google's move back in March 2012 to merge many of the company's privacy policies into one over-arching policy for some 60 Google services, including Google Search, YouTube, Gmail, Picasa, Google Drive, Google Docs and Google Maps, according the CNIL announcement. "Nearly all Internet users in France are impacted by this decision due to the number of services concerned," the agency said.
The CNIL action to fine Google was taken because Google "does not sufficiently inform its users of the conditions in which their personal data are processed, nor of the purposes of this processing," the report continued. "They may therefore neither understand the purposes for which their data are collected, which are not specific as the law requires, nor the ambit of the data collected through the different services concerned. Consequently, they are not able to exercise their rights, in particular their right of access, objection or deletion."
The CNIL statement also said that the fine was implemented because Google "does not comply with its obligation to obtain user consent prior to the storage of cookies on their terminals," and that the company "fails to define retention periods applicable to the data which it processes."
In addition, the CNIL reported that Google erroneously "permits itself to combine all the data it collects about its users across all of its services without any legal basis."
The G29, the Working Group of all European Union Data Protection authorities, previously had contacted Google about the matter, but Google "failed to comply with the EU legal framework and correspondingly issued several recommendations, which Google Inc. did not effectively follow-up upon. Consequently, six EU Authorities individually initiated enforcement proceedings against the company," the statement continued. "These conclusions are similar to those laid down by the Dutch and Spanish Data Protection Authorities in November and December 2013 on the basis of their respective national laws."
The high fine "is justified by the number and the seriousness of the breaches stated in the case," the CNIL announced. Google has also been ordered to post notice of the CNIL decision on the French Google Web page for 48 hours to help notify affected users of the fine and the agency's decision in the case.
In June 2013, Google was given 90 days by French regulators to amend its policies about how the company deals with users' data or face large fines. Five other EU nations made similar threats to Google. The deadline was issued by the CNIL at that time. In a statement, the CNIL told Google that it was taking the action because the company is not yet in compliance with French law.
Google did not respond to an eWEEK inquiry on Jan. 9 seeking comment on the case.