
CNIL imposes a financial penalty of 50M euros against Google - Aissen
https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc
======
LeanderK
50M euros seems far too little to me. It's a major violation against a
fundamental regulation in their core product and compared to their revenue,
50M is nothing. A magnitude more will probably get google thinking, but I
doubt this will.

~~~
Despegar
As always with these cynical comments about fines, it misunderstands the
nature of them. Google or any other company does not get to just continue
their practices as usual, the fine is purely "punishment" for the bad behavior
in the past. The real teeth is in the changes they will be forced to make.

The EC's three antitrust cases against Google don't end with the billions of
dollars in fines they have to pay. Google would gladly pay them if it meant
they could continue their anti-competitive practices, it would just be a cost
of doing business. But that's not the point of them.

~~~
LeanderK
but wouldn't a fine that's actually sizable send a different signal?

I don't get how google can violate somthing like this and the only results is
the enforecement of existing law and some fine? Or I am not getting something?

~~~
pgeorgi
> the only results is the enforcement of existing law and some fine?

The job of European data protection agencies isn't to be punitive, but to
ensure compliance.

If the issue was tiny, an honest mistake that was promptly fixed when it was
brought to the offender's attention, and they show that they implement
safeguards so that something like that won't happen again, there may be no
fine at all.

Compared to this, EUR 50M is rather heavy handed, but given that Google has
approximately $infinity at their disposal, no value would "ensure compliance".

What this does is ensure that the topic will be discussed by the board of
directors (50M is probably beyond the discretionary spending budget of the
not-quite-top level manager who handled this) with the outlook that there may
be more fines like that.

OTOH it's still far from that "4% of global revenue" figure, so it gives room
for escalation. Hopefully it's also small enough that it won't be disfigured
too much into "the evil EU is being protectionist again!" US press cycle that
comes up every time a US company is fined by some EU body.

~~~
luckylion
> The job of European data protection agencies isn't to be punitive, but to
> ensure compliance.

Wouldn't larger fines ensure compliance though?

~~~
ldng
Well next fine, if nothing is done to comply, will be heavier. For better or
worse, that's how it is intended to work.

------
dennisgorelik
CNIL forces bad UX pattern on EU users.

The correct pattern would be to use reasonable default settings and allow more
advanced users to customize.

But EU wants to force Google to present advanced configuration options to all
users. For vast majority of users advanced configuration options look like
mumbo-jumbo, so most users will learn to quickly accept whatever mumbo-jumbo
they are presented with -- without reading it at all.

That CNIL change will make the Web worse than it is now, not better.

~~~
stefan_
That is entirely by design?

If you collect so much diverse data that you exploit in 100 different ways and
share with 1000 different companies that you require a hundred pages of
individual consent checkboxes, the system is working as intended.

Will most users just accept all? Maybe. But I think the share of concerned
users is larger than you believe it to be. And if history is any indication,
"reasonable default settings" have a bad habit of never erring on the side of
data collection minimization, particularly for new and novel features.

~~~
alkonaut
It should be a requirement that the hassle is proportional to the data
sharing. Want to share my data with 100 different places? Make me click 100
checkboxes.

------
plandis
I find it fascinating that Google gets a 50M fine for not having the exact UX
experience France thinks they should have but then fines a French company 250K
for breach of actual user data. Makes sense.

~~~
MattHeard
GDPR fines are intended to generally be proportional to the company's revenue.

~~~
laurentl
Furthermore, this is the first fine falling under GDPR. The previous fines
handed out by the CNIL were pre-GDRP, with much lower maximum amounts (300
k€). So a 250k€ fine is close to the maximum they could fine, which makes
sense given the offense.

------
buboard
This is how you weaponize legislation. I 'll be damned if "They are going
after the big guys". Just reading the ruling tells you that any DPA can come
up with any kind of justification if they have a beef against you. Not only
the law is vague, now they can fine our businesses because we have "buttons
and links on which it is required to click to access complementary
information". And this is only the DPA of France. There are much more corrupt
governments and officials across EU countries. Romania is already having some
fun with it. Good luck to everyone , but i m expecting this to backfire
spectacularly in the medium term.

------
gnode
Although 50M EUR is a minor fine for a corporation the size of Google, this
goes beyond a "warning in writing in cases of first and non-intentional non-
compliance". Does this mean that Google has been previously given such a
warning and violated it, or that they've been judged to have intentionally not
complied?

------
Aissen
Google Translate link (of the irony):

[https://translate.google.com/translate?hl=&sl=auto&tl=en&u=h...](https://translate.google.com/translate?hl=&sl=auto&tl=en&u=https%3A%2F%2Fwww.cnil.fr%2Ffr%2Fla-
formation-restreinte-de-la-cnil-prononce-une-sanction-de-50-millions-deuros-
lencontre-de-la)

And the full decision (in french, too) for anyone wanting to read 31 pages of
scanned legalese (not too harsh, though):
[https://www.cnil.fr/sites/default/files/atoms/files/san-2019...](https://www.cnil.fr/sites/default/files/atoms/files/san-2019-001_21-01-2019.pdf)

~~~
ernesth
Official announce in english: [https://www.cnil.fr/en/cnils-restricted-
committee-imposes-fi...](https://www.cnil.fr/en/cnils-restricted-committee-
imposes-financial-penalty-50-million-euros-against-google-llc)

~~~
yrf
That translation is only marginally better than the automatic Google Translate
translation.

~~~
nolok
The CNIL has a very constrained budget (since the need for them keep
increasing, and their income doesn't), so spending money for an english
translation is probably not very high on their list. I would not be surprised
if it's one of their regular employee that just happened to speak english that
do those.

~~~
zozbot123
> I would not be surprised if it's one of their regular employee that just
> happened to speak english that do those.

For very low values of "speak english", of course - this is France after all.
That translation is so peculiar, it reminds me of the Chinglish manuals we get
with cheap manufactured products.

------
CorvusCrypto
This is an interesting case. So France is essentially arguing that not only
should opt-in be visible (as they mention it is on Google's create account
page), but that configuration should be immediately visible as well. This will
screw over much more than google should it be upheld.

It's interesting that this wasn't brought up to my employer in sweden. We had
default data collection settings checked and in a separate view accessible by
a similar "more options" toggle and it was deemed okay as long as we had a
visible blanket opt-in checkbox and a link explaining the settings, how we use
data, and how to adjust. Our regulators said it would be enough as the goal of
GDPR is to make every use of data reasonably known, adjustable, and revokation
with good faith toward the user. Yet here it seems France is arguing that it
is about immediate showing of all settings to the user and that every website
should tell in the user's face about every single configuration of data usage.
It's possibly a good approach, idk, I feel it is a bit too annoying of a
precedent and that they are nitpicking a bit.

I can't wait for this to fully play out. Regarding documentation and informing
the user, I disagree with their findings entirely about the frustration of
finding data usage info as all of Frances concerns were lost on me upon
visiting
[https://safety.google/privacy/data/](https://safety.google/privacy/data/). To
me it seems that google has made a good faith effort at least in
documentation.

~~~
the_duke
I agree that this would put basically any service in existence into non-
compliance.

As a user, I do agree that a "blanket opt in" button/ default checked checkbox
is so pointless that it could as well be left out.

A EASILY DIGESTIBLE page explaining what data is stored and how it is used ,
with an agree button at the end (and separate opt-in for different sets of
data/functionality) should be mandatory.

Emphasis on the easily digestible, because we all know that the "terms and
contions" pages out there are constructed to be as obtuse and uninformative as
possible to make users just skip them.

~~~
tomjen3
Honestly at most 10% of the sites that I have seen allow you to opt-out with a
single click, whereas basically all of them allow you to out-in. Some don't
allow you to browse the site without accepting.

We need some general browser based auto script, so that websites don't get to
ask, something like a do not track header, but one that was legally binding.

Until then I click accept on all the sites that I use on my phone, they can
set all the cookies they want, as I use Firefox Sync, which erase all data
whenever you press back or close the browser.

~~~
MayeulC
I use a firefor add-on[1], which works for the Quantcast banners (adds a "I
refuse" button), but would definitely like something that works equally well
for all websites, or that websites fix it themselves. Maybe even better, if
they could simply follow the DNT flag, or not track their users in the first
place.

I worry that accepting cookies once, for one of these sites, will lead them to
try and de-anonymize you, maybe even across private browsing windows, or
different sessions. If you give them the right to basically fingerprint you,
be assured that they will abuse it.

[1] [https://addons.mozilla.org/en-
US/firefox/addon/qookiefix](https://addons.mozilla.org/en-
US/firefox/addon/qookiefix)

------
alt_f4
These fines are really just a way for European govts to claw back money which
they feel they are owed by American tech companies for being successful in
European markets. In a global world, that's a wrong way to look at things. It
is time to cut admin fat in EU govts and stop penalizing productive
businesses.

------
amluto
The top of the CNIL site literally says:

> If you continue to browse this website, you accept third-party cookies used
> to offer you videos, social sharing buttons, contents from social platforms.

That looks like an illegal opt out. They should fine themselves :)

~~~
readyp1
If you look just to the right of that statement, there's a button labeled
Personalize that lets you set which 3rd party services you consent to. Correct
me if I'm wrong, but that appears compliant...

~~~
michaelmrose
Why can't we just set a single setting and have every website obey it?

~~~
amaccuish
It's called Do-Not-Track and was ignored...

~~~
mehrdadn
If GDPR required websites to obey DNT would it still be ignored?

~~~
jgtrosh
GDPR requires active consent (or so I have repeatedly seen on HN), and that
was clearly ignored

~~~
mehrdadn
Yeah, very true. :\

------
MarkMc
Does this mean that the consent Google has already obtained from users is
invalid, and so they must request consent again in a GDPR-compliant manner?

~~~
olivierduval
No, consents given BEFORE GDPR are considered valid. But, new google accounts
are created everyday... and this apply to them

~~~
Aissen
Have you read the part about consent given during account creation ?

~~~
olivierduval
Sorry for being unclear:

\- for Google accounts created and Android smartphone configured before GDPR
(25/5/2018), consent is considered valid under GDPR

\- for Android smartphone configured AFTER 25/5/2018, the consent is
considered invalid, whatever the Android version or the time that the phone is
sitting on the shelf, or whether the Google account already exist or not.

\- moreover the consent is invalid for the Google account creation during the
android smartphone configuration

Google is fined "only" for what happen AFTER the GDPR (25/5/2018): android
configuration and account creation.

------
ChuckMcM
It will be interesting to see how this plays out. Between the GPDR imposing
costs on the advertising model and Google being pressured not to go into
China, its more pressure on the top line of earnings.

~~~
dennisgorelik
Google would be fine, because Google's competitors (especially small ones)
would suffer more than Google itself.

However EU users would suffer from GDPR fallout:

\- Less services (due to lack of competition).

\- Annoying cookies/privacy questions, force by GDPR.

------
alkonaut
Hope they go after one of the ”cookiebot”-type splash sites next. What I mean
is those that only have ”consent” or “leave”.

It’s a clear violation of the GDPR and yet tons of sites do it.

~~~
tzs
Will going after those sites actually accomplish much?

They'll just add a third option, "pay", which lets you buy access without them
storing personal information (other than information they need to recognize
paid users, of course). Almost no one will actually pick the "pay" option, so
for most practical purposes it effectively reduces to either "consent" or
"leave".

~~~
alkonaut
I'd be perfectly happy to see what effectively is 3 optionsn "pay with money"
"pay with info" or "leave". Whether or not people choose the same option
anyway doesn't matter, it's now a much more informed choice than before as
it's obvious how much your information is actually worth.

Also, sites that can't be bothered to set up premium/paid access mihgt do go
the LA Times route and block access in Europe which I also think is completely
OK.

------
ddebernardy
50M EUR seems like a rounding error. Isn't Google earning over 30Bn USD per
quarter?

~~~
DeonPenny
Not if it's just profit from europe

~~~
ddebernardy
Even then, if you assume Europe is somewhere between a 4th and a 3rd of their
total revenue - which I'd expect it to be, given how the EU is a larger
economy than the US and Google is even more dominant in Europe than in the US,
and irrespective of ad budgets being traditionally lower than in the US - it
seems tiny.

------
srkmno
This is exceedingly petty even considering that the GDPR as a whole is a tool
to subject US tech firms to a degree of scrutiny and control that would
suffocate other industries and extract the occasional payout.

No one benefits from this, they just get shitty UX.

------
loldot_
Its ironic that cnil has “accept all” as the default choice for 3rd party
cookies on its site

~~~
nolok
Honestly, I think what they offer might be the best solution you can hope for:
one button "I don't care", one button personalize and in it one button
"disable all". People who don't care and just want the site to work aren't
lost, people who care aren't lost, people who want to personnalize aren't
lost. If you care, it's two click total to disable everything, and it's very
easy to find (the bright right "deny").

Should they have "refuse all" along with "accept all" ? Yes.

Should "refuse all" be the default and thus features be disabled ? I'm not
entirely sure (see what they list in the personnalize, it's youtube videos and
twitter cards ...).

In terms of the intent of the law (give control to the user and make it easy
to opt out), I would say they are doing fine. As opposed to all those shitty
websites where you can't find how to disable, or you have to disable a
bazillion things by hand.

~~~
krageon
Refuse all needs to be the default, because that is the law. Even when it
comes to the intent of the law (which is to give control to the user and also
not make lazy users "accidentally" give up all of their right to privacy) they
are not doing fine. They're doing better than their peers, who have made even
more malicious choice dialogs.

~~~
nolok
I agree as a matter of "how is the law written now", I was talking more of a
"how I hope as a user that it could/will be".

If we go with everything off by default by law and try to apply it, we will
end up with a broken web, meaning websites will not follow the law because it
makes a stupid and not be punished for it because it's become the norm, just
like the (bad) cookie law.

I'm ok with how it is on their site (based on how easy it is to disable,
myself I disable all on such sites); it's quick with only 2 clics total, and
it's easy to figure out with a clear color scheme and wording.

It's important to understand we make the law not for us tech users, but for
everyone. Finding a solution that works for everyone and gives them what they
want is important.

~~~
icebraining
Why would we end up with a broken web?

Remember that consent is only needed if you can't rely on one of the other
conditions for storing that data. If you are, say, selling a product, there's
no need to ask for consent at all for using the customer's data to bill them
and ship it. If the user changes some setting in your site, there's no need to
ask for consent to store that preference.

------
gamma-male
I really hate that if I start looking for bdsm stuff on Amazon I start having
bdsm related ads everywhere. It's really uncomfortable when friends are
shoulder surfing.

~~~
jliptzin
Just have 2 amazon accounts, SFW version and NSFW version

~~~
agumonkey
I guess that's why firefox containers are for, just don't forget to name it
'vintage-math-books'

------
ekingr
English version: [https://www.cnil.fr/en/cnils-restricted-committee-imposes-
fi...](https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-
penalty-50-million-euros-against-google-llc)

------
MarkMc
I'm not surprised by this. It's pretty clear that having a pre-ticked checkbox
is not allowed under GDPR. It's also against the intent of the law to require
6 clicks to deny consent but only 1 click to grant it.

~~~
CorvusCrypto
What's not allowed is pre-checked opt-in. As France mentioned that's not the
case for google. Only a default configuration is pre-checked. The opt-in is a
separate immediately seen checkbox saying you agree to data usage for
personalization etc. Along with a link explaining how to adjust.

Edit: I should say that this approach was deemed acceptable by Swedens
dataskyddsmyndighet which is the government regulatory agency and is a common
approach in many sites.

~~~
MarkMc
Perhaps I misunderstood and was relying too much on my memory of the Google UI
when I was in the UK. Is there a youtube video or series of screenshots
showing exactly how to grant or deny consent with Google?

------
akavel
As an European: <3 <3 <3

Also:

 _" This is the first time that the CNIL applies the new sanction limits
provided by the GDPR."_

I'm super happy the law is hopefully finally starting to get some teeth. I
sincerely hope it gets successfully tested in court, and that lawyers will
smell money in slamming down on companies trying to blatantly fake their way
out of GDPR by cheating users into "accepting" the pre-GDPR status quo.

~~~
buboard
As a european i disagree. This is not a good ruling for anyone who has their
business in europe. It reads petty and kinda-insane. And i just don't get the
"suck it americans" kool-aid that the whole of the EU is into atm.

------
_bxg1
Google made $32.32 billion in Q4 2018.

That's $384.76 million per _day_.

Fines this small accomplish nothing.

~~~
colejohnson66
But the fine increases with non compliance up to 4% of their yearly revenue

~~~
_bxg1
Well then that's good, because this may as well be a verbal warning

------
olivierduval
"OK Google" ;-) Facebook, Amazon... please stay in line!!! :-D

I saw so many website, big or small, implementing the GDPR the easy way and
call it a day... without any thinking or consideration for their users... that
now everybody may gonna think twice ?

Google was an example, a message. That's why CNIL chose such a big player 1)
it's to big to be really hurt by the fine 2) most other business - a lot
smaller - will be frightened and will re-think their slacking approach It's a
way to say "don't mess with us".

The funniest part is that usually the US administration try to help US
business in such case. But I don't think that Trump administration - moreover
during shutdown - will...

~~~
klez
> That's why CNIL chose such a big player

FWIW, CNIL didn't _choose_ a big player. They're responding to complaints
advanced by the two associations mentioned in TFA, that is _La Quadrature du
Net_ and _None Of Your Business_.

~~~
DannyBee
What?

Of course they chose. They have received the same complaints about literally
thousands of companies, and chose to advance these two first.

Regulators (no matter where) always make strategic decisions about who to
prosecute and when. That's part of the job.

I'm not sure why we are trying to pretend they are robotic automatons who just
process complaints exactly as received.

~~~
puzzle
In interviews back before GDPR, the CNIL stated that, when the maximum fines
allowed weren't enough, they saw the PR embarrassment of making their rulings
public, which is not required, an even higher punishment for Google. So they
have been making strategic decisions for a while.

------
amriksohata
The EU is bringing a copyright law in soon, who knew the EU would be the one
bringing down the internet

------
Animats
For Google, this is small. Remember when they had to pay US$500M to the US DOJ
for knowingly assisting in pushing drugs?[1]

[1] [https://www.wired.com/2013/05/google-pharma-whitaker-
sting/](https://www.wired.com/2013/05/google-pharma-whitaker-sting/)

------
mtgx
> On 25 and 28 May 2018, the National Data Protection Commission (CNIL)
> received group complaints from the associations None Of Your Business
> (“NOYB”) and La Quadrature du Net (“LQDN”).

As corporations become greedier, people more privacy-aware, and leaked data
more abused by criminals, I think it's only a matter of time before Max
Schrems (guy behind noyb and the fall of EU-US Safe Harbor agreement) is named
Time's Person of the Year.

------
dennisgorelik
> the economic model of the company is partly based on the ads
> personalization. Therefore, it is of its utmost responsibility to comply
> with the obligations on the matter.

"Therefore" reasoning works in the opposite direction than CNIL bureaucrats
claim.

If Google is known for ads personalization, then:

1) Users who decided using Google services should imply that Google will try
to personalize their ads by default.

2) In order to "comply with obligation" to deliver ads personalization, Google
should turn on "ads personalization" by default.

~~~
rippeltippel
> If Google is known for ads personalization...

If you ask 100 random people what is Google for, how many people do you think
will answer "ads personalization"? My prediction is "close to 0%".

Google's "About" page states: "Our mission is to organise the world’s
information and make it universally accessible and useful". No mention of
personalization involved.

Therefore, Google is NOT known for ads personalization.

~~~
dennisgorelik
A correct question to "100 random people" would be "Does Google do ads
personalization".

My guess is that 70 people would not even know what "ads personalization" is.

Out of remaining 30 people, 28 would correctly claim that Google does ads
personalization.

