The EC's three antitrust cases against Google don't end with the billions of dollars in fines they have to pay. Google would gladly pay them if it meant they could continue their anti-competitive practices, it would just be a cost of doing business. But that's not the point of them.
I don't get how google can violate somthing like this and the only results is the enforecement of existing law and some fine? Or I am not getting something?
The job of European data protection agencies isn't to be punitive, but to ensure compliance.
If the issue was tiny, an honest mistake that was promptly fixed when it was brought to the offender's attention, and they show that they implement safeguards so that something like that won't happen again, there may be no fine at all.
Compared to this, EUR 50M is rather heavy handed, but given that Google has approximately $infinity at their disposal, no value would "ensure compliance".
What this does is ensure that the topic will be discussed by the board of directors (50M is probably beyond the discretionary spending budget of the not-quite-top level manager who handled this) with the outlook that there may be more fines like that.
OTOH it's still far from that "4% of global revenue" figure, so it gives room for escalation. Hopefully it's also small enough that it won't be disfigured too much into "the evil EU is being protectionist again!" US press cycle that comes up every time a US company is fined by some EU body.
Wouldn't larger fines ensure compliance though?
Use it once, and you won't have to use it again. I don't know the usual english translation of a quote attributed to Mao: punish one, teach one hundred.
Handing out fines that actually hurt will not only teach those that receive it but also everybody else.
Making knuddels.de pay €20k for leaking the data (including clear text passwords) of millions of users just says "do as you please, here's a symbolic fine, we don't mind".
It does remind me off Google vs SEO-Black-Hat-Spammers. They get caught, the get a manual penalty, they remove the worst, say they're sorry, the penalty gets lifted, they continue on.
Will you make those changes?
Is it, though? Isn't the punishment supposed to fit the crime?
I think if corporations will continue to do what they want with impunity paying slap on the wrist fines for major illegalities, and passing laws in their favor through lobbying, people will eventually get fed up like they have in France, or worse. Then, more countries' populations will start demanding from their governments to impose the death penalty for corporations (at least in that government's jurisdiction) and mandatory arrests of top executives for serious corporate crimes and harm against consumers.
If the trend continues, I think it's only a matter of time until these demands become reality.
One thought: if Google had just served non-personalized ads (or personalized ads with much greater restrictions) to all of France, how much money would they have lost due to the ads being lower quality? With some very rough estimates, I'd guess $250 million in revenue resulting in $100 million in profit. ($1 billion revenue from France, $500 million from ads, ads are 2x more effective when personalized, 40% of revenue is profit). All very rough estimates/analysis, but it definitely seems like a significant slice (half the profit) of this part of Google's operations, and likely there's at least someone at Google who's thinking about this specific revenue source who just got a wake-up call. Given the roughness of the estimates, seems possibly at a point where it would have been better for Google to just give up on ad personalization (at least in France) altogether.
Another thought experiment: surely at some point (e.g. fining 100% or more of global revenue), Google will just stop operations in France (or Europe), which is probably not what anyone wants. What is that tipping point? If every country (or city) uses the "significant percentage of global revenue" approach, it's more likely to collectively become unreasonable. That's at least the extreme-case downside to giving a fine that's too big (especially proportional to the unfairly-gained profit in the jurisdiction giving out the fine).
No they won't.
The market is too large, and they are perfectly aware that they have competitors that manage to keep their businesses both legal and profitable.
Compared to the average US income, $50M is 15$.
It can be argued and should because the arguments laid out in this discussion set precedence that acts as a more concrete requirement that sits on top of GDPR. Basically imo this could be a very interesting set of arguments that mean changes to a huge amount of websites.
Isn't it just common sense based on everything in GDPR? I find it hard to believe that someone familiar with GDPR and without incentives to the contrary could legitly come away thinking the legislation intended to allow defaults to be anti-user-privacy.
> Moreover, the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.
It's a warning notice, you see. Formal notice to Google, to fix this, or face real consequences.
One doesn't want to come down too heavy handed on these things. It will backfire. This light penalty and explicit notice that it requires immediate action to address, is a good move.
This is also the first offense and (one of) the first major fines to be handed out over GDPR, so it's not totally unsurprising that they might fire a warning shot to everyone that they can and will be cracking down, it wasn't an empty threat.
I wonder if this will lead to a situation like cigarette taxes in U.S. states where the "punitive" taxes wind up being a huge source of revenue that the states can't live without.
Fines aren't a one-off and everything is forgotten.
If they don't establish compliance, they can be fined again continually, with increasing amounts.
It will depend on if the enforcement agencies follow through.
I don't see how; the GDPR allows member states to fine up to 4% of worldwide revenue. If just five states fine that amount, that's 20% of revenue. Even for Google, that's practically all of their profit, and way more than what they make in the EU. And there are complaints filed with seven regulatory agencies already.
The correct pattern would be to use reasonable default settings and allow more advanced users to customize.
But EU wants to force Google to present advanced configuration options to all users. For vast majority of users advanced configuration options look like mumbo-jumbo, so most users will learn to quickly accept whatever mumbo-jumbo they are presented with -- without reading it at all.
That CNIL change will make the Web worse than it is now, not better.
There is a general confusion that the job of a user interface is to simplify the system, where that is the last thing a user interface should do. What a user interface should do is to make it as simple as possible for a user to understand and interact with the system.
Google's system is immensely complex and they have intentionally not given their users all the information and not all the options for interaction. This is intentional of course, but by looking at the user interfaces they provide as is we have to conclude that they are doing a very poor job of giving us access to understand the full complexity.
Imagine if Adobe replaced all their interfaces with a few simplified buttons, one brush to use, filters are automatically applied, lighting automatically adjusted based on personal history etc. No one would use such a program.
The GRPR in this case is pointing out that Google is not showing all the options and when they are they obscure them, ie they have bad user interfaces by making it as difficult as possible for a user to understand and interact with their system.
If anything, this will force Google to make good user interfaces. For, if the measurement of a good interface is about how simple the interface is regardless of the complexity of the underlying system, then all good user interfaces should be reduced to one button. Such a measurement of quality is ignorant and cannot further any skill in designing user interfaces.
This is entirely subjective and meaningless unless you have a way of measuring it objectively.
All it’s actually doing is making people change things, basically arbitrarily, in the hope it’ll make things better.
Maybe the intent is vaguely in the right place, but I’m pretty skeptical of any kind of magic bullet for making people make “good” user interfaces.
I think it is far from clear this will make things better, not worse.
I don't understand what "advanced users" have to do about that, it's about privacy and owning your data, do you think less savvy internet users should just let Google siphon their data? If anything they're the one who most benefit from this change since they're less likely to understand what data they're sharing exactly and implement countermeasures client-side.
>so most users will learn to quickly accept whatever mumbo-jumbo they are presented with -- without reading it at all.
That's because of the dark patterns I talk about above. Given clear "I accept/I refuse" controls it wouldn't be any slower or difficult to quickly dismiss the dialog -- without reading it at all.
But of course Google doesn't want you to do that so they make it as hard as they can to find the "I refuse" control, leaving you with a cumbersome UI where you're tempted to click "I accept" to get it over with.
1) It would definitely be slower than not having that dialogue at all (the less UI elements - the simpler).
Do you remember that typical user visits Google web site NOT to setup his privacy settings, but with a totally different goal (such as do web search)?
2) "Accept vs Deny" is easy to read, but how would most users know what choice is better for them?
In order to form a reasonable opinion on that cookie choice -- I personally spent multiple hours (if not days) of reading and thinking.
EXACTLY! Why should the user then have to give up their privacy? All they wanted to do was a simple search, not be tracked and profiled. So it's the unneeded collecting of personal data that's the problem here, not the ux.
I mean have you seen the current dialog you get when you get on a google domain with a "fresh" session? It's a wall of text with a scrollbar redirecting you to multiple other pages if you want to see what exactly Google collects. It's also pretty unclear what each link leads to and how to opt out of everything. Clearly they didn't really optimize for simplicity here, they're the only ones to blame for that.
I'm perfectly aware that people don't go to google.com specifically to setup privacy settings, and that's precisely what Google is counting on. By using an unnecessarily complex interface they hope that people will give up immediately and accept whatever Google is pushing.
>In order to form a reasonable opinion on that cookie choice -- I personally spent multiple hours (if not days) of reading and thinking.
Well that's your choice, my modus operandi is simpler: I systematically refuse everything I can refuse. That's quick and easy. I have yet to witness any degradation of my browsing experience.
I'd be curious to hear what kinds of dilemmas you've had while reading the terms and conditions that lead you to days of thinking.
I just checked - there is no such dialogue on google.com for me. I am in the US. GDPR does not apply here.
My conclusion is that the complex dialogue on google.com you are suffering -- is the result of GDPR. Without GDPR Google (and most other successful websites) delivers simplicity.
> I systematically refuse everything I can refuse.
You can refuse opening google.com in your browser.
Do you refuse to open google.com?
> what kinds of dilemmas you've had
I carefully thought about whether I want unneeded complexity in my life or not.
My choice is "No GDPR and no complexity".
Your choice is GDPR which implies complexity (but you do not understand that "GDPR -> websites complexity" causation, because you did not think about that choice hard enough).
If you collect so much diverse data that you exploit in 100 different ways and share with 1000 different companies that you require a hundred pages of individual consent checkboxes, the system is working as intended.
Will most users just accept all? Maybe. But I think the share of concerned users is larger than you believe it to be. And if history is any indication, "reasonable default settings" have a bad habit of never erring on the side of data collection minimization, particularly for new and novel features.
> For vast majority of users advanced configuration options look like mumbo-jumbo, so most users will learn to quickly accept whatever mumbo-jumbo they are presented with -- without reading it at all.
Hiding the (pre-ticked) consent boxes in "advanced configuration" UI has been the default strategy so far. This fine made clear that this doesn't actually work to obtain valid consent.
I, personally, when I browse internet, strongly prefer personalized ads (over non-personalized ads).
Most users, probably, do not care either way (because they do not understand the implications). But the business (e.g. Google) cares about ads personalization a lot, because ads personalization significantly increases tax revenue and reduces number of irrelevant ads that users see.
In this situation the reasonable default choice is to allow ads personalization, so the business will have ad revenue to function and deliver functionality users need.
> because they do not understand the implications
This is the point. Relying on people not understanding something is not ethical and certainly not "reasonable".
Do you imply that democratic process never make mistakes?
> Relying on people not understanding something is not ethical
CNIL bureaucrats rely on people not understanding, that these GDPR regulations make internet worse (annoying "accept/deny cookies" questions, less relevant ads, less revenue for businesses to create functionality users want).
Would you say that CNIL is unethical?
Anyway, that's whataboutism.
Which is fine if you want to click the checkbox to enable personalization. But not everyone wants that personalization and tracking. For instance, I've found personalized ads to be worse than generic ads, where Google tries to sell me a product for weeks after I researched and purchased it. If you enjoy the personalized ads, there is nothing to stop you from opting in, but that shouldn't be the default behavior.
... according to GDPR.
My point is that GDPR is bad (for internet users) at the very core (intent) of GDPR legislation.
Which EU law do you think forces this? Please can you link to it?
See also: California's prop 65.
The reasons for those are obvious and somewhat understandable from the companies' POV. Nevertheless, I don't see how a prompt employing dark patterns constitutes free and informed consent.
As such, I'm glad this descision seem to go in the same direction.
...while not apparent on the main page (I'm sure they'll fix this in time), if you click on any item, no matter which item, there will be a little "Prop 65" warning notice, with a link to this page (rendered as a dialog):
The print catalog is even funnier, if you receive it - every single spot of a component or part has the Prop 65 warning.
Someone should print up a bunch of "Prop 65" stickers, and plaster them on everything in California (for all I know, they are already doing this).
It's all kinda absurd.
The request for consent must be given ...
The site you linked is not the law, it's some kind of blog. But let's use this site: where does it say that all cookies require opt-in consent?
But this is what we know:
1) Almost all popular web sites, that serve EU audience - added personalization consent form.
2) This is what CNIL defines as "personalization"
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
I, probably, should not focus on "cookies" and focus on "website personalization" instead.
Almost all popular websites use "personal data". GDPR forces these websites to present "consent form" to users, whether users want to answer that consent question or not.
I, as a user, do NOT want to be forced to see that "consent" question on my first visit of a website, but GDPR forces me to. That is abuse of government power.
You're conflating interests of internet companies and interests of users a lot here. No doubt, this is not in the interests of internet companies - however, I fail to see how it's actually bad for users.
If you're ennerved by the cookie banners and don't care about your privacy, you're always free to click the prominent "accept all" buttons and continue like before.
This is exactly the reason for the GDPR. Users don't understand the implications and so they shouldn't be automatically opted-in to systems that violate their human rights.
1) "Incognito" mode.
2) "Clear browsing data".
> Seems like nobody cared about it
That is exactly my point: vast majority of users do not care much about removing their cookies.
If users do not really care -- why pollute UI of websites with questions that users do not care about?
>Most websites and web services, including Google's, don't change their behavior when they receive a Do Not Track request. 
I prefer bad ux patterns over dark ux patterns.
UX is not about smoothness of the first 5 min of using a product. Long term counts. Let's ask how people feel about facebook these days ? They had a perfect blindfloded way to inboard you, do you still think that is good UX ?
Only if you keep using the same website again and again and do not delete cookies.
Is it your goal to reduce number of websites that users visit?
It doesn't. The current breed of UIs that we see is companies trying to find an easy way out. Easily half of them are illegal under GDPR: they are either ambiguous, or redirect to third-party websites, or employ dark patterns, or require consent to collect data that's not required for website operation, or all of the above and more.
"That does not mean that the GDPR is respected. Indeed, the user not only has to click on the button “More options” to access the configuration, but the display of the ads personalization is moreover pre-ticked. However, as provided by the GDPR, consent is “unambiguous” only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance)."
I don't think the "More options" issue would have been too much of an issue if all the options weren't preselected.
And the full decision (in french, too) for anyone wanting to read 31 pages of scanned legalese (not too harsh, though): https://www.cnil.fr/sites/default/files/atoms/files/san-2019...
For very low values of "speak english", of course - this is France after all. That translation is so peculiar, it reminds me of the Chinglish manuals we get with cheap manufactured products.
It's interesting that this wasn't brought up to my employer in sweden. We had default data collection settings checked and in a separate view accessible by a similar "more options" toggle and it was deemed okay as long as we had a visible blanket opt-in checkbox and a link explaining the settings, how we use data, and how to adjust. Our regulators said it would be enough as the goal of GDPR is to make every use of data reasonably known, adjustable, and revokation with good faith toward the user. Yet here it seems France is arguing that it is about immediate showing of all settings to the user and that every website should tell in the user's face about every single configuration of data usage. It's possibly a good approach, idk, I feel it is a bit too annoying of a precedent and that they are nitpicking a bit.
I can't wait for this to fully play out. Regarding documentation and informing the user, I disagree with their findings entirely about the frustration of finding data usage info as all of Frances concerns were lost on me upon visiting https://safety.google/privacy/data/. To me it seems that google has made a good faith effort at least in documentation.
As a user, I do agree that a "blanket opt in" button/ default checked checkbox is so pointless that it could as well be left out.
A EASILY DIGESTIBLE page explaining what data is stored and how it is used , with an agree button at the end (and separate opt-in for different sets of data/functionality) should be mandatory.
Emphasis on the easily digestible, because we all know that the "terms and contions" pages out there are constructed to be as obtuse and uninformative as possible to make users just skip them.
We need some general browser based auto script, so that websites don't get to ask, something like a do not track header, but one that was legally binding.
Until then I click accept on all the sites that I use on my phone, they can set all the cookies they want, as I use Firefox Sync, which erase all data whenever you press back or close the browser.
I worry that accepting cookies once, for one of these sites, will lead them to try and de-anonymize you, maybe even across private browsing windows, or different sessions. If you give them the right to basically fingerprint you, be assured that they will abuse it.
That is, no more “agree and continue” that isn’t accompanied by an equally prominent “continue without tracking”.
So, the market is so skewed that that is how presumably somewhat informed people perceive it?
I mean, I would think it is just obvious bullshit. There are plenty of businesses that sell you a service for money, and that is all they do, and this kind of regulation has exactly zero impact on them. The only problem is that they have to compete with others who simply mistreat their customers in order to be able to ask for less money--so it's about time that a level playing field is restored where it's obvious that anti-asshole regulation does not impact everyone.
I did not mean businesses would become unviable, just that everyone needs to change the way they present GDPR relevant information.
This has nothing to do with spying or misreading customers.
As a customer, I want to know what data a service stores and how it is used, without digging through pages of cryptic terms and services.
Informed consent is the keyword here.
Plenty of paid services share their data with third parties.
As a customer, I simply want my data to not be stored at all, unless I explicitly asked for it, in which case the consent is obviously implied.
> Plenty of paid services share their data with third parties.
And plenty of paid services don't. And those don't have to change anything. That's my point.
I doubt that you are going to explicitly ask sites to store your IP address, so how do you think that should be handled?
 IP address alone doesn't prove location, but it is evidence. The EU, for example, for requires for internet sales that you justify your choice of whose VAT to collect by providing two non-contradictory pieces of evidence for the location you chose. IP address can be one of those pieces. Billing address of the card used for the purchase can be another, and for most people that and IP address is enough.
Now, maybe it would be preferable to ask for permission in those cases as well (just put a checkbox in the order form?), but my point (though maybe not stated clearly enough) was not that I expect only data to be stored when I explicitly ask for it for be stored, but that it is only stored when I explicitly ask for something that necessarily requires the data to be stored. So, if I order some digital goods, it might be required that the shop stores my IP address, so that's probably OK. But my point is that that does not include the permission to use it for anything other than fulfilling the legal obligation, and most certainly not to also store my navigation behavior on their website, or to keep it once they don't need it for tax purposes anymore.
As for the amount of the fine, even if it is small in comparison with Google’s profits, it has to come from one employee’s budget. That one person will be strongly motivated to fix this.
CNIL agreed with the Complainant
> If you continue to browse this website, you accept third-party cookies used to offer you videos, social sharing buttons, contents from social platforms.
That looks like an illegal opt out. They should fine themselves :)
Also, as the decision regarding Vectaury shows, CNIL considers that it's up to every platform to explicitly ask for your consent before processing your personal information. So it'd be up to Facebook or Twitter to present you the opt-in feature, in case you're not connected to their platform yet.
CNIL does ask for your consent if you want to contact them and you're filling the contact form. They provide a link to the complete list of required information : content stored, processes done, who will see the data, for how long, and who to contact to object.
 https://www.cnil.fr/fr/donnees-personnelles/plaintes-en-lign... (in French)
From the linked article:
> The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions. For instance, this is the case when a user wants to have a complete information on his or her data collected for the personalization purposes or for the geo-tracking service.
I genuinely don't understand why they are allowed to put the information in a menu that is behind a "personalize" button in a menu, and then only explain how the data is shared by clicking on several other links to understand, but google is getting fined for doing what seems like the same thing.
Even if you click the "view the official website" for YouTube on the permissions screen on cnil.fr, you are sent to , which seems like a VERY comprehensive screen that details all the information they collect, what they do with it, and how to stop it.
And if Google or cnil.fr can't get this right, what hope do I have of getting it right?
So the issue is a lack of a single (or a very limited number of) "opt out of all data collection" button? I didn't know that was a requirement. How does that requirement interact with data which is required to run the business? Isn't the single "opt out" to delete or not create the account in question with Google?
>it is difficult for anyone to know how much data Google has, and one of the provisions of GDPR is that companies allow consumers to access their personal data.
Doesn't  show it pretty explicitly for Google?
It's not all on the same page, but it's not like it's all hidden or purposefully obfuscated. And I'm not sure how you would even fit it all on one page, it would be extremely hard to navigate if that were a requirement.
>I expect that, if cnil.fr is compliant, then clicking deny all stops all data collection.
The root of this seems to be that Google:
1. Doesn't tell the user well enough what their data is used for. I'm floored at the idea of this because Google has among the most comprehensive systems for explaining and controlling how your data is used within the company. This specifically terrifies me as Google is the standard that I'd hold any company i'm in to, as the way they show and explain how they use data is very understandable to me and many I've talked to about it. It almost seems like they will have to take a step backwards to become compliant and show a single page with a bunch of technical information on it that follows the letter of the law but in practice is useless for most people.
These third-party things should be in your cache.
You need to have Facebook enabled for instance if you want to use the Facebook sharing button at the bottom (same for Twitter).
And everything is disabled by default.
So it does seem like the correct way to do it.
The world isn't black and white.
>The company GOOGLE states that it obtains the user’s consent to process data for ads personalization purposes. However, the restricted committee considers that the consent is not validly obtained for two reasons...
- for Google accounts created and Android smartphone configured before GDPR (25/5/2018), consent is considered valid under GDPR
- for Android smartphone configured AFTER 25/5/2018, the consent is considered invalid, whatever the Android version or the time that the phone is sitting on the shelf, or whether the Google account already exist or not.
- moreover the consent is invalid for the Google account creation during the android smartphone configuration
Google is fined "only" for what happen AFTER the GDPR (25/5/2018): android configuration and account creation.
However EU users would suffer from GDPR fallout:
- Less services (due to lack of competition).
- Annoying cookies/privacy questions, force by GDPR.
It’s a clear violation of the GDPR and yet tons of sites do it.
They'll just add a third option, "pay", which lets you buy access without them storing personal information (other than information they need to recognize paid users, of course). Almost no one will actually pick the "pay" option, so for most practical purposes it effectively reduces to either "consent" or "leave".
Also, sites that can't be bothered to set up premium/paid access mihgt do go the LA Times route and block access in Europe which I also think is completely OK.
No one benefits from this, they just get shitty UX.
Should they have "refuse all" along with "accept all" ? Yes.
Should "refuse all" be the default and thus features be disabled ? I'm not entirely sure (see what they list in the personnalize, it's youtube videos and twitter cards ...).
In terms of the intent of the law (give control to the user and make it easy to opt out), I would say they are doing fine. As opposed to all those shitty websites where you can't find how to disable, or you have to disable a bazillion things by hand.
If we go with everything off by default by law and try to apply it, we will end up with a broken web, meaning websites will not follow the law because it makes a stupid and not be punished for it because it's become the norm, just like the (bad) cookie law.
I'm ok with how it is on their site (based on how easy it is to disable, myself I disable all on such sites); it's quick with only 2 clics total, and it's easy to figure out with a clear color scheme and wording.
It's important to understand we make the law not for us tech users, but for everyone. Finding a solution that works for everyone and gives them what they want is important.
Remember that consent is only needed if you can't rely on one of the other conditions for storing that data. If you are, say, selling a product, there's no need to ask for consent at all for using the customer's data to bill them and ship it. If the user changes some setting in your site, there's no need to ask for consent to store that preference.
Of course, these are different magnitudes of offences, but they do indicate how insidious and normalised are the patterns established by companies like Google, Facebook, Twitter and co.
The rest either have an "accept all" or "pre-ticked accept" or a tiny, misleading "more options".
So government and bureaucracies can be impervious to rules they expect everyone to follows. This site seems humongous fan of bureaucracy as long as it is european.
But yeah, it's bad optics.
Edit: I should say that this approach was deemed acceptable by Swedens dataskyddsmyndighet which is the government regulatory agency and is a common approach in many sites.
Yes it sends the message that France is going to keep trying to attack google & facebook until they relent and exit Ireland
There is no evidence that they worked constructively with google to resolve the technical and nuanced issue (a breach of predictably vague and complex laws).
This seems to specifically relate to "create account" on a reset android device when it gets to the google services section. That's a long walk for a short drink of water. Which version of android is not compliant? Is it universal?
In enforcing regulations changed just months before there has to be reasonableness. Issuing a EUR50m fine 2 months after discovering an edge case like this is not reasonable. Helping the company comply is the right behaviour. Then seek punitive measures if they fail to.
It states 10k people made a complaint about this. No they didn't. They even take a swipe at the Irish government in their release.
I'm all for bashing google and have numerous issues with them, but this is nonsense.
If you run a business and are not remotely concerned about the abuse of this legislation you have lost your mind
Among other actions, they're the ones that have been taking Google all the way up to the EU Court of Justice to enforce worldwide the right to be forgotten. The advocate general just sided with Google less than two weeks ago, which makes for an interesting coincidence. They, and IFP in particular, have been itching in public interviews for the power to levy higher fines. Now they are simply following up on past statements.
If you click "OK, accept all" on the CNIL site, it looks like that enables integrations with Facebook, Twitter, Prezi, SlideShare, Vimeo, and YouTube. Doesn't seem granular at all.
At some point French regulators we pushing for a rule that any processing of French citizens had to be done in France... Which is a great combination of untenable and an obvious jobs program.
Likewise, this comes across as incredibly arbitrary, with enforcement driven by fines rather than actual clear regulations. Non compliance on their own website just hammers it home.
Why not, though? If Trump is promising the leave NATO without the military support from the US, then EU has every reason to create the laws that enforce that commitment.
The fact is that as of now, the larger ecosystem is not in a balanced state at all.
Then let's not make blanket statements about whether "pre-checked consent" is permissible or not.
"This is the first time that the CNIL applies the new sanction limits provided by the GDPR."
I'm super happy the law is hopefully finally starting to get some teeth. I sincerely hope it gets successfully tested in court, and that lawyers will smell money in slamming down on companies trying to blatantly fake their way out of GDPR by cheating users into "accepting" the pre-GDPR status quo.
That's $384.76 million per day.
Fines this small accomplish nothing.
Corporations make all their decisions based on risk/cost/reward; if it costs X to respect people's privacy, and it costs Y (via fines) to not respect people's privacy, you just have to balance that equation. Shareholders will do the rest.
You clearly didn't read my last message very closely. The whole idea is that the fine needs to change the economics so that it's no longer a good business decision. A business is going to pick the path of least "cost of operation", so you make sure that those forces push it in the direction that's best for society.
I saw so many website, big or small, implementing the GDPR the easy way and call it a day... without any thinking or consideration for their users... that now everybody may gonna think twice ?
Google was an example, a message. That's why CNIL chose such a big player
1) it's to big to be really hurt by the fine
2) most other business - a lot smaller - will be frightened and will re-think their slacking approach
It's a way to say "don't mess with us".
The funniest part is that usually the US administration try to help US business in such case. But I don't think that Trump administration - moreover during shutdown - will...
FWIW, CNIL didn't choose a big player. They're responding to complaints advanced by the two associations mentioned in TFA, that is La Quadrature du Net and None Of Your Business.
Of course they chose.
They have received the same complaints about literally thousands of companies, and chose to advance these two first.
Regulators (no matter where) always make strategic decisions about who to prosecute and when. That's part of the job.
I'm not sure why we are trying to pretend they are robotic automatons who just process complaints exactly as received.
In fact, they could have choose Google, because they may act by their own without any complaint.
But they choose the amount ;-)
As corporations become greedier, people more privacy-aware, and leaked data more abused by criminals, I think it's only a matter of time before Max Schrems (guy behind noyb and the fall of EU-US Safe Harbor agreement) is named Time's Person of the Year.
"Therefore" reasoning works in the opposite direction than CNIL bureaucrats claim.
If Google is known for ads personalization, then:
1) Users who decided using Google services should imply that Google will try to personalize their ads by default.
2) In order to "comply with obligation" to deliver ads personalization, Google should turn on "ads personalization" by default.
If you ask 100 random people what is Google for, how many people do you think will answer "ads personalization"? My prediction is "close to 0%".
Google's "About" page states: "Our mission is to organise the world’s information and make it universally accessible and useful". No mention of personalization involved.
Therefore, Google is NOT known for ads personalization.
My guess is that 70 people would not even know what "ads personalization" is.
Out of remaining 30 people, 28 would correctly claim that Google does ads personalization.