Hacker News new | past | comments | ask | show | jobs | submit login
CNIL imposes a financial penalty of 50M euros against Google (cnil.fr)
330 points by Aissen 87 days ago | hide | past | web | favorite | 222 comments



50M euros seems far too little to me. It's a major violation against a fundamental regulation in their core product and compared to their revenue, 50M is nothing. A magnitude more will probably get google thinking, but I doubt this will.


As always with these cynical comments about fines, it misunderstands the nature of them. Google or any other company does not get to just continue their practices as usual, the fine is purely "punishment" for the bad behavior in the past. The real teeth is in the changes they will be forced to make.

The EC's three antitrust cases against Google don't end with the billions of dollars in fines they have to pay. Google would gladly pay them if it meant they could continue their anti-competitive practices, it would just be a cost of doing business. But that's not the point of them.


CNIL: "Therefore, it is of its utmost responsibility to comply with the obligations on the matter."


but wouldn't a fine that's actually sizable send a different signal?

I don't get how google can violate somthing like this and the only results is the enforecement of existing law and some fine? Or I am not getting something?


> the only results is the enforcement of existing law and some fine?

The job of European data protection agencies isn't to be punitive, but to ensure compliance.

If the issue was tiny, an honest mistake that was promptly fixed when it was brought to the offender's attention, and they show that they implement safeguards so that something like that won't happen again, there may be no fine at all.

Compared to this, EUR 50M is rather heavy handed, but given that Google has approximately $infinity at their disposal, no value would "ensure compliance".

What this does is ensure that the topic will be discussed by the board of directors (50M is probably beyond the discretionary spending budget of the not-quite-top level manager who handled this) with the outlook that there may be more fines like that.

OTOH it's still far from that "4% of global revenue" figure, so it gives room for escalation. Hopefully it's also small enough that it won't be disfigured too much into "the evil EU is being protectionist again!" US press cycle that comes up every time a US company is fined by some EU body.


> The job of European data protection agencies isn't to be punitive, but to ensure compliance.

Wouldn't larger fines ensure compliance though?


Well next fine, if nothing is done to comply, will be heavier. For better or worse, that's how it is intended to work.


It would send a different signal that France doesn't necessarily want to send. If the fine for having a bad UX over passable data privacy configurations is billions of dollars, and the fine for not making an effort at all is also billions of dollars, that doesn't really encourage the right behavior.


Larger fines can tell companies at large that it is unsafe to do business in that jurisdiction.


GDPR would have allowed fines of up to 4% of Google's global turnover. That's a bazooka you don't use for every infraction. If Google is found to be a repeat offender or fails to comply, that's probably when regulators will use that particular tool in their toolbox.


> That's a bazooka you don't use for every infraction.

Use it once, and you won't have to use it again. I don't know the usual english translation of a quote attributed to Mao: punish one, teach one hundred.

Handing out fines that actually hurt will not only teach those that receive it but also everybody else. Making knuddels.de pay €20k for leaking the data (including clear text passwords) of millions of users just says "do as you please, here's a symbolic fine, we don't mind".


I mean, there's a reason that quote is attributed to Mao. When regulators fire off ruinous fines as a first resort, the lesson companies learn is not that everything will be okay if they follow the rules.


You're probably right, they don't want to hurt the actors on the first offence. We shall see whether it will turn into a three-strikes system, or remain in a rather pedagogical western european fashion.

It does remind me off Google vs SEO-Black-Hat-Spammers. They get caught, the get a manual penalty, they remove the worst, say they're sorry, the penalty gets lifted, they continue on.


The $50bn fine gets paid and steps taken to comply in future. The $4bn fine gets more appeals and politicians dragged in.


Ok, but can you translate this line of thought to a fine at the scale of an individual, for example a speeding ticket?


"Here is a $100 fine because we caught you speeding in a poorly-marked zone. Of course, now that you unambiguously know what the speed limit is here, if we catch you speeding again, we will take your house."


Why does Goldman Sachs, HSBC, etc have houses...?


A speeding fine is the punishment, and the limited amount of points on the driving licence, some of which are taken away at each infraction, are the incentive for changing behaviour.


"You should definitely make these major changes to your lifestyle, and if you don't, in about ten years or so we will fine you $25."

Will you make those changes?


> the fine is purely "punishment" for the bad behavior in the past.

Is it, though? Isn't the punishment supposed to fit the crime?

I think if corporations will continue to do what they want with impunity paying slap on the wrist fines for major illegalities, and passing laws in their favor through lobbying, people will eventually get fed up like they have in France, or worse. Then, more countries' populations will start demanding from their governments to impose the death penalty for corporations (at least in that government's jurisdiction) and mandatory arrests of top executives for serious corporate crimes and harm against consumers.

If the trend continues, I think it's only a matter of time until these demands become reality.


Certainly, taking a nontrivial percentage of global revenue will force Google's attention, but I'm not convinced that's the best way to think about it.

One thought: if Google had just served non-personalized ads (or personalized ads with much greater restrictions) to all of France, how much money would they have lost due to the ads being lower quality? With some very rough estimates, I'd guess $250 million in revenue resulting in $100 million in profit. ($1 billion revenue from France, $500 million from ads, ads are 2x more effective when personalized, 40% of revenue is profit). All very rough estimates/analysis, but it definitely seems like a significant slice (half the profit) of this part of Google's operations, and likely there's at least someone at Google who's thinking about this specific revenue source who just got a wake-up call. Given the roughness of the estimates, seems possibly at a point where it would have been better for Google to just give up on ad personalization (at least in France) altogether.

Another thought experiment: surely at some point (e.g. fining 100% or more of global revenue), Google will just stop operations in France (or Europe), which is probably not what anyone wants. What is that tipping point? If every country (or city) uses the "significant percentage of global revenue" approach, it's more likely to collectively become unreasonable. That's at least the extreme-case downside to giving a fine that's too big (especially proportional to the unfairly-gained profit in the jurisdiction giving out the fine).


> Google will just stop operations in France (or Europe)

No they won't.

The market is too large, and they are perfectly aware that they have competitors that manage to keep their businesses both legal and profitable.


I guess it's a complex decision, but I feel like if I was running a worldwide business and a single country decided to impose a $100 billion fine (the scenario I was describing), I'd want nothing to do with that country. That's much, much more than the market opportunity that Google has in France. Probably I'd want to avoid operating at all in countries that have a chance of imposing that scale of fine.


This is not a single country -- as the article mentions, this decision is valid for the entire EU. Obviously, there will still be some kind of limit for individual businesses, but a 50M€ fine is nowhere near enough for a company like Google to stop doing business in the entire European Union.


Google will now be expected to do it all over, and follow the rules. If they fail, the fine will most likely be much higher.


There are complaints like this in almost every European countries. If it's 50M fine in France, 50 more in Germany, 50 in The Netherlands and so on, it should start to be a huge amount!


To fine the company for merely 5% of their $110 bln revenue it would take 110 countries.

Compared to the average US income, $50M is 15$.


In case of repeated and obvious offense (not the case of Google for now), the fine may grow up until 4% of the annual revenue... For each case !


Is that 100 billion from all countries? If fines from EU exceeds profits from EU then that division would be bust, it’s more like 25 billion.


So many downvotes. Never criticize our corporate overlords.


Still more than a 100 times the usual amount for the CNIL fines.

https://www.cnil.fr/en/tag/sanctions


It’s also the first fine to be handed out after the GDPR came into effect (the other fines on the page are for infractions discovered before May 2017). Which is one of the reasons the GDPR was passed: previous laws had much less teeth when it came to fines.


Not the first; a german chat app was hit by a minor fine because they stored passwords in cleartext in 2018.


Sorry, I meant "the first by CNIL" (or even more specifically, the first in the list of previous fines that was a couple of posts above)


It could be a million times higher, but if it's an amount the company in question turns over in less than an hour, it still meaningless. As a fine, it's almost insignificant, but as judicial signal it _is_ important, because it's the first official warning, and ignoring it means the next punitive measure will be orders of magnitude higher.


I think this is just for France and for this case. If they continue, they'll be new fines. Also other EU countries, I think, can jump in. Changing behavior is what hurts them, and apparently here no need for 5 year investigations. Matter of months and the verdict is in.


50M euro here, 50M euro there pretty soon you're talking real money.


Perhaps. Though with GDPR the framework is intentionally vague on a lot of things. You often hear about limits and design requirements and such, well those don't exist. They are just legal "best guesses" with the frameworks inherent goal as a guide. Nobody knows whether default configs are disallowed as long as opt-in is positive action. The current best guesses for that vary and all that's known in GDPR in that regard is that there must be positive user opt-in with a good faith effort of informing the user. In this sense google likely thought they were satisfying this requirement.

It can be argued and should because the arguments laid out in this discussion set precedence that acts as a more concrete requirement that sits on top of GDPR. Basically imo this could be a very interesting set of arguments that mean changes to a huge amount of websites.


> Nobody knows whether default configs are disallowed as long as opt-in is positive action.

Isn't it just common sense based on everything in GDPR? I find it hard to believe that someone familiar with GDPR and without incentives to the contrary could legitly come away thinking the legislation intended to allow defaults to be anti-user-privacy.


Why would it be common sense? Literally nothing is written about design details. At a certain point burden will fall on the user and no it's not common sense where that point lies. Legal arguments such as this case are what concretely define expectations. I get the data protection part and it's easy to just say "anyone that does X is against data protection", but implementing stuff to satisfy GDPR is a mess of grey areas. It's just as likely a company sets defaults to streamline the UI experience for a user as is the case they did it to maliciously trick users (Yeah yeah google is evil etc. Etc. But remember these decisions affect all companies). This is not to mention the fact that many companies dont even offer customized settings and simply have only blanket opt-in checkboxes.


It's a fair penalty.

> Moreover, the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.

It's a warning notice, you see. Formal notice to Google, to fix this, or face real consequences.

One doesn't want to come down too heavy handed on these things. It will backfire. This light penalty and explicit notice that it requires immediate action to address, is a good move.


Felt like a ridicule amount, but also a sum that Google will not think a lot before paying which may serve as an admission/precedent for future laws.


Similarly to raising taxes you also have to keep in mind that governments walk a tight rope: too little and it doesn't accomplish what you wanted but too much and you could then be dealing with a lot of unemployed people. Neither is good, so you have to be careful.

This is also the first offense and (one of) the first major fines to be handed out over GDPR, so it's not totally unsurprising that they might fire a warning shot to everyone that they can and will be cracking down, it wasn't an empty threat.


The way the GDPR is written it seems that big co's will be able to pay their way out of noncompliance, the percentage of revenues that they charge in fees is a lot but it won't erase their margin.

I wonder if this will lead to a situation like cigarette taxes in U.S. states where the "punitive" taxes wind up being a huge source of revenue that the states can't live without.


Not really.

Fines aren't a one-off and everything is forgotten. If they don't establish compliance, they can be fined again continually, with increasing amounts.

It will depend on if the enforcement agencies follow through.


> the percentage of revenues that they charge in fees is a lot but it won't erase their margin.

I don't see how; the GDPR allows member states to fine up to 4% of worldwide revenue. If just five states fine that amount, that's 20% of revenue. Even for Google, that's practically all of their profit, and way more than what they make in the EU. And there are complaints filed with seven regulatory agencies already.


CNIL forces bad UX pattern on EU users.

The correct pattern would be to use reasonable default settings and allow more advanced users to customize.

But EU wants to force Google to present advanced configuration options to all users. For vast majority of users advanced configuration options look like mumbo-jumbo, so most users will learn to quickly accept whatever mumbo-jumbo they are presented with -- without reading it at all.

That CNIL change will make the Web worse than it is now, not better.


I cannot disagree more.

There is a general confusion that the job of a user interface is to simplify the system, where that is the last thing a user interface should do. What a user interface should do is to make it as simple as possible for a user to understand and interact with the system.

Google's system is immensely complex and they have intentionally not given their users all the information and not all the options for interaction. This is intentional of course, but by looking at the user interfaces they provide as is we have to conclude that they are doing a very poor job of giving us access to understand the full complexity.

Imagine if Adobe replaced all their interfaces with a few simplified buttons, one brush to use, filters are automatically applied, lighting automatically adjusted based on personal history etc. No one would use such a program.

The GRPR in this case is pointing out that Google is not showing all the options and when they are they obscure them, ie they have bad user interfaces by making it as difficult as possible for a user to understand and interact with their system.

If anything, this will force Google to make good user interfaces. For, if the measurement of a good interface is about how simple the interface is regardless of the complexity of the underlying system, then all good user interfaces should be reduced to one button. Such a measurement of quality is ignorant and cannot further any skill in designing user interfaces.


What is simple? What is simple enough? For who?

This is entirely subjective and meaningless unless you have a way of measuring it objectively.

All it’s actually doing is making people change things, basically arbitrarily, in the hope it’ll make things better.

Maybe the intent is vaguely in the right place, but I’m pretty skeptical of any kind of magic bullet for making people make “good” user interfaces.

I think it is far from clear this will make things better, not worse.


I don't blame the CNIL, I blame the tech giants who use dark patterns to trick me into giving my data. I hope the CNIL and other regulatory bodies won't relent until Google & friends figure their shit out and offer sane defaults in a sane UI.

I don't understand what "advanced users" have to do about that, it's about privacy and owning your data, do you think less savvy internet users should just let Google siphon their data? If anything they're the one who most benefit from this change since they're less likely to understand what data they're sharing exactly and implement countermeasures client-side.

>so most users will learn to quickly accept whatever mumbo-jumbo they are presented with -- without reading it at all.

That's because of the dark patterns I talk about above. Given clear "I accept/I refuse" controls it wouldn't be any slower or difficult to quickly dismiss the dialog -- without reading it at all.

But of course Google doesn't want you to do that so they make it as hard as they can to find the "I refuse" control, leaving you with a cumbersome UI where you're tempted to click "I accept" to get it over with.


> Given clear "I accept/I refuse" controls it wouldn't be any slower or difficult to quickly dismiss the dialog

1) It would definitely be slower than not having that dialogue at all (the less UI elements - the simpler).

Do you remember that typical user visits Google web site NOT to setup his privacy settings, but with a totally different goal (such as do web search)?

2) "Accept vs Deny" is easy to read, but how would most users know what choice is better for them?

In order to form a reasonable opinion on that cookie choice -- I personally spent multiple hours (if not days) of reading and thinking.


> Do you remember that typical user visits Google web site NOT to setup his privacy settings, but with a totally different goal (such as do web search)?

EXACTLY! Why should the user then have to give up their privacy? All they wanted to do was a simple search, not be tracked and profiled. So it's the unneeded collecting of personal data that's the problem here, not the ux.


Being tracked and profiled is the cost of using google to do a simple search. No free lunch and all that.


>1) It would definitely be slower than not having that dialogue at all (the less UI elements - the simpler). >Do you remember that typical user visits Google web site NOT to setup his privacy settings, but with a totally different goal (such as do web search)?

I mean have you seen the current dialog you get when you get on a google domain with a "fresh" session? It's a wall of text with a scrollbar redirecting you to multiple other pages if you want to see what exactly Google collects. It's also pretty unclear what each link leads to and how to opt out of everything. Clearly they didn't really optimize for simplicity here, they're the only ones to blame for that.

I'm perfectly aware that people don't go to google.com specifically to setup privacy settings, and that's precisely what Google is counting on. By using an unnecessarily complex interface they hope that people will give up immediately and accept whatever Google is pushing.

>In order to form a reasonable opinion on that cookie choice -- I personally spent multiple hours (if not days) of reading and thinking.

Well that's your choice, my modus operandi is simpler: I systematically refuse everything I can refuse. That's quick and easy. I have yet to witness any degradation of my browsing experience.

I'd be curious to hear what kinds of dilemmas you've had while reading the terms and conditions that lead you to days of thinking.


> have you seen the current dialog you get when you get on a google domain with a "fresh" session?

I just checked - there is no such dialogue on google.com for me. I am in the US. GDPR does not apply here.

My conclusion is that the complex dialogue on google.com you are suffering -- is the result of GDPR. Without GDPR Google (and most other successful websites) delivers simplicity.

> I systematically refuse everything I can refuse.

You can refuse opening google.com in your browser. Do you refuse to open google.com?

> what kinds of dilemmas you've had

I carefully thought about whether I want unneeded complexity in my life or not.

My choice is "No GDPR and no complexity".

Your choice is GDPR which implies complexity (but you do not understand that "GDPR -> websites complexity" causation, because you did not think about that choice hard enough).


That is entirely by design?

If you collect so much diverse data that you exploit in 100 different ways and share with 1000 different companies that you require a hundred pages of individual consent checkboxes, the system is working as intended.

Will most users just accept all? Maybe. But I think the share of concerned users is larger than you believe it to be. And if history is any indication, "reasonable default settings" have a bad habit of never erring on the side of data collection minimization, particularly for new and novel features.


It should be a requirement that the hassle is proportional to the data sharing. Want to share my data with 100 different places? Make me click 100 checkboxes.


Where does it say Google shares its data with other companies?


I think they are perfectly free to present an unticked "personalize ads" box as a reasonable default.

> For vast majority of users advanced configuration options look like mumbo-jumbo, so most users will learn to quickly accept whatever mumbo-jumbo they are presented with -- without reading it at all.

Hiding the (pre-ticked) consent boxes in "advanced configuration" UI has been the default strategy so far. This fine made clear that this doesn't actually work to obtain valid consent.


Why do you think that an unticked "personalize ads" box is a reasonable default?

I, personally, when I browse internet, strongly prefer personalized ads (over non-personalized ads).

Most users, probably, do not care either way (because they do not understand the implications). But the business (e.g. Google) cares about ads personalization a lot, because ads personalization significantly increases tax revenue and reduces number of irrelevant ads that users see.

In this situation the reasonable default choice is to allow ads personalization, so the business will have ad revenue to function and deliver functionality users need.


In this case, the EU per their democratic processes decided they need additional consent. Easy as that.

> because they do not understand the implications

This is the point. Relying on people not understanding something is not ethical and certainly not "reasonable".


> EU per their democratic processes decided

Do you imply that democratic process never make mistakes?

> Relying on people not understanding something is not ethical

CNIL bureaucrats rely on people not understanding, that these GDPR regulations make internet worse (annoying "accept/deny cookies" questions, less relevant ads, less revenue for businesses to create functionality users want).

Would you say that CNIL is unethical?


How does the GDPR force any of that?

Anyway, that's whataboutism.


>>I, personally, when I browse internet, strongly prefer personalized ads

Which is fine if you want to click the checkbox to enable personalization. But not everyone wants that personalization and tracking. For instance, I've found personalized ads to be worse than generic ads, where Google tries to sell me a product for weeks after I researched and purchased it. If you enjoy the personalized ads, there is nothing to stop you from opting in, but that shouldn't be the default behavior.


It's not about personal preference. The GDPR does not talk about a "reasonable default", but about "freely given, specific, informed and unambiguous" consent from the user. There must be a "clear affirmative act" by the user, so consent has to be opt-in.


> There must be a "clear affirmative act" by the user

... according to GDPR.

My point is that GDPR is bad (for internet users) at the very core (intent) of GDPR legislation.

I claim that it is bad for internet users to force them to make cookies decisions for every website that wants to use cookies.


> I claim that it is bad for internet users to force them to make cookies decisions for every web site.

Which EU law do you think forces this? Please can you link to it?


There's no penalty for prompting when consent is not needed, so everyone just decided to prompt of their own volition to minimize legal risk. The law doesn't force sites to prompt, but it effectively forces users to answer prompts.

See also: California's prop 65.


I wouldn't actually mind that. What does annoy me is that most prompts are heavily biased to make you give consent - e.g., declining is made a lot harder than just blanket accepting.

The reasons for those are obvious and somewhat understandable from the companies' POV. Nevertheless, I don't see how a prompt employing dark patterns constitutes free and informed consent.

As such, I'm glad this descision seem to go in the same direction.


If you want to see "hilarity" in regards to California's Prop 65, take a look at this surplus electronics vendor:

https://www.allelectronics.com/

...while not apparent on the main page (I'm sure they'll fix this in time), if you click on any item, no matter which item, there will be a little "Prop 65" warning notice, with a link to this page (rendered as a dialog):

https://www.allelectronics.com/cms/ca_warning/ca-warning/1.h...

The print catalog is even funnier, if you receive it - every single spot of a component or part has the Prop 65 warning.

Someone should print up a bunch of "Prop 65" stickers, and plaster them on everything in California (for all I know, they are already doing this).

It's all kinda absurd.


Sure, but that's different to saying the law forces you to gain opt-in consent if you use cookies.


I meant "make cookies decisions for every website that wants to use cookies" (I just updated my comment).

==========

https://eugdpr.org/the-regulation/

The request for consent must be given ...

==========


more precise: for every website that wants to use cookies and choose (or had to choose for lack of alternatives) consent as their justification for processing. Not all data processing requires consent.


Please can you paste the text that you think forces websites to gain consent for all cookies if that website uses cookies?

The site you linked is not the law, it's some kind of blog. But let's use this site: where does it say that all cookies require opt-in consent?


CNIL is intentionally vague, so I do not see a clear quote that demand consent form for cookies.

But this is what we know:

1) Almost all popular web sites, that serve EU audience - added personalization consent form.

2) This is what CNIL defines as "personalization"

---

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

---

My estimate is that over 90% of popular web sites that use cookies -- use users' "personal data" (according to this definition).

That is why I wrote "website that wants to use cookies".

I, probably, should not focus on "cookies" and focus on "website personalization" instead.

Almost all popular websites use "personal data". GDPR forces these websites to present "consent form" to users, whether users want to answer that consent question or not.

I, as a user, do NOT want to be forced to see that "consent" question on my first visit of a website, but GDPR forces me to. That is abuse of government power.


> My point is that GDPR is bad (for internet users) at the very core (intent) of GDPR legislation.

You're conflating interests of internet companies and interests of users a lot here. No doubt, this is not in the interests of internet companies - however, I fail to see how it's actually bad for users.

If you're ennerved by the cookie banners and don't care about your privacy, you're always free to click the prominent "accept all" buttons and continue like before.


Personalized ads require some sort of your information to be stored, which is why I think that it is not a reasonable default. In addition to that by making the information collection opt-out you could easily track the privacy-minded that decide to disable it - see DNT for example.


>Most users, probably, do not care either way (because they do not understand the implications). But the business (e.g. Google) cares about ads personalization a lot, because ads personalization significantly increases tax revenue and reduces number of irrelevant ads that users see.

This is exactly the reason for the GDPR. Users don't understand the implications and so they shouldn't be automatically opted-in to systems that violate their human rights.


Compliance is easy. Make the default "no tracking, no ad customization". Only trying to evade that makes it hard.


The simple approach is the Do Not Track option activated in my browser. Seems like nobody cared about it, so yeah, forcing opt-in is the way to go.


Almost all advertising companies were gearing up to respect that, then IE10 violated the standard as in the RFC and set a default value for that header.


> Do Not Track option activated in my browser

1) "Incognito" mode.

2) "Clear browsing data".

> Seems like nobody cared about it

That is exactly my point: vast majority of users do not care much about removing their cookies.

If users do not really care -- why pollute UI of websites with questions that users do not care about?


Those things don't stop companies from collecting information on you. I wish that stuff was stored locally.

>Most websites and web services, including Google's, don't change their behavior when they receive a Do Not Track request. [1]

1. https://support.google.com/chrome/answer/2790761


If the default was not to track the user, it would not be a problem. Advanced settings could allow the user to opt-in to various forms of tracking.


> CNIL forces bad UX pattern on EU users.

I prefer bad ux patterns over dark ux patterns.


That's bullshit. Explaining what you get and what you give is not bad UX and can be integrated nicely into almost any user path.

UX is not about smoothness of the first 5 min of using a product. Long term counts. Let's ask how people feel about facebook these days ? They had a perfect blindfloded way to inboard you, do you still think that is good UX ?


I don’t want a 5 minute onboarding process to read a news article.


I wouldn't choose to give up any personal information to read a news article.


> Long term counts.

Only if you keep using the same website again and again and do not delete cookies.

Is it your goal to reduce number of websites that users visit?


I'm sorry you're right, I only used google 2 times last year.. Name 1 internet website that don't care about retention. People usually don't delete cookies at all, and it could be a good pre-signup tool. And if a website that I'd only use once vacuumed all my personal data, I'd really question their ethics


> CNIL forces bad UX pattern on EU users.

It doesn't. The current breed of UIs that we see is companies trying to find an easy way out. Easily half of them are illegal under GDPR: they are either ambiguous, or redirect to third-party websites, or employ dark patterns, or require consent to collect data that's not required for website operation, or all of the above and more.


From TFA:

"That does not mean that the GDPR is respected. Indeed, the user not only has to click on the button “More options” to access the configuration, but the display of the ads personalization is moreover pre-ticked. However, as provided by the GDPR, consent is “unambiguous” only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance)."

I don't think the "More options" issue would have been too much of an issue if all the options weren't preselected.


I find it fascinating that Google gets a 50M fine for not having the exact UX experience France thinks they should have but then fines a French company 250K for breach of actual user data. Makes sense.


GDPR fines are intended to generally be proportional to the company's revenue.


Furthermore, this is the first fine falling under GDPR. The previous fines handed out by the CNIL were pre-GDRP, with much lower maximum amounts (300 k€). So a 250k€ fine is close to the maximum they could fine, which makes sense given the offense.


This is how you weaponize legislation. I 'll be damned if "They are going after the big guys". Just reading the ruling tells you that any DPA can come up with any kind of justification if they have a beef against you. Not only the law is vague, now they can fine our businesses because we have "buttons and links on which it is required to click to access complementary information". And this is only the DPA of France. There are much more corrupt governments and officials across EU countries. Romania is already having some fun with it. Good luck to everyone , but i m expecting this to backfire spectacularly in the medium term.


Although 50M EUR is a minor fine for a corporation the size of Google, this goes beyond a "warning in writing in cases of first and non-intentional non-compliance". Does this mean that Google has been previously given such a warning and violated it, or that they've been judged to have intentionally not complied?


Google Translate link (of the irony):

https://translate.google.com/translate?hl=&sl=auto&tl=en&u=h...

And the full decision (in french, too) for anyone wanting to read 31 pages of scanned legalese (not too harsh, though): https://www.cnil.fr/sites/default/files/atoms/files/san-2019...




Thanks, I didn't find it when posting the link. If a mod could update it it would be nice !


That translation is only marginally better than the automatic Google Translate translation.


The CNIL has a very constrained budget (since the need for them keep increasing, and their income doesn't), so spending money for an english translation is probably not very high on their list. I would not be surprised if it's one of their regular employee that just happened to speak english that do those.


> I would not be surprised if it's one of their regular employee that just happened to speak english that do those.

For very low values of "speak english", of course - this is France after all. That translation is so peculiar, it reminds me of the Chinglish manuals we get with cheap manufactured products.


This is an interesting case. So France is essentially arguing that not only should opt-in be visible (as they mention it is on Google's create account page), but that configuration should be immediately visible as well. This will screw over much more than google should it be upheld.

It's interesting that this wasn't brought up to my employer in sweden. We had default data collection settings checked and in a separate view accessible by a similar "more options" toggle and it was deemed okay as long as we had a visible blanket opt-in checkbox and a link explaining the settings, how we use data, and how to adjust. Our regulators said it would be enough as the goal of GDPR is to make every use of data reasonably known, adjustable, and revokation with good faith toward the user. Yet here it seems France is arguing that it is about immediate showing of all settings to the user and that every website should tell in the user's face about every single configuration of data usage. It's possibly a good approach, idk, I feel it is a bit too annoying of a precedent and that they are nitpicking a bit.

I can't wait for this to fully play out. Regarding documentation and informing the user, I disagree with their findings entirely about the frustration of finding data usage info as all of Frances concerns were lost on me upon visiting https://safety.google/privacy/data/. To me it seems that google has made a good faith effort at least in documentation.


Informed consent is the bane of any business that relies on dark patterns.


And any business whose users are too stupid to be meaningfully informed. AKA just about everyone.


I agree that this would put basically any service in existence into non-compliance.

As a user, I do agree that a "blanket opt in" button/ default checked checkbox is so pointless that it could as well be left out.

A EASILY DIGESTIBLE page explaining what data is stored and how it is used , with an agree button at the end (and separate opt-in for different sets of data/functionality) should be mandatory.

Emphasis on the easily digestible, because we all know that the "terms and contions" pages out there are constructed to be as obtuse and uninformative as possible to make users just skip them.


Honestly at most 10% of the sites that I have seen allow you to opt-out with a single click, whereas basically all of them allow you to out-in. Some don't allow you to browse the site without accepting.

We need some general browser based auto script, so that websites don't get to ask, something like a do not track header, but one that was legally binding.

Until then I click accept on all the sites that I use on my phone, they can set all the cookies they want, as I use Firefox Sync, which erase all data whenever you press back or close the browser.


I use a firefor add-on[1], which works for the Quantcast banners (adds a "I refuse" button), but would definitely like something that works equally well for all websites, or that websites fix it themselves. Maybe even better, if they could simply follow the DNT flag, or not track their users in the first place.

I worry that accepting cookies once, for one of these sites, will lead them to try and de-anonymize you, maybe even across private browsing windows, or different sessions. If you give them the right to basically fingerprint you, be assured that they will abuse it.

[1] https://addons.mozilla.org/en-US/firefox/addon/qookiefix


It should be a very simple requirement that whatever the way is to “agree to collection and enter site” must not be simpler or more prominent than the action required to NOT agree to non essential collection and still enter.

That is, no more “agree and continue” that isn’t accompanied by an equally prominent “continue without tracking”.


> I agree that this would screw over basically all services in existence.

So, the market is so skewed that that is how presumably somewhat informed people perceive it?

I mean, I would think it is just obvious bullshit. There are plenty of businesses that sell you a service for money, and that is all they do, and this kind of regulation has exactly zero impact on them. The only problem is that they have to compete with others who simply mistreat their customers in order to be able to ask for less money--so it's about time that a level playing field is restored where it's obvious that anti-asshole regulation does not impact everyone.


I was just referring to the way information is currently presented on most websites.

I did not mean businesses would become unviable, just that everyone needs to change the way they present GDPR relevant information.


But that is exactly the bullshit that I was referring to! No, if you haven't mistreated your customers before, there is no need to change anything, and there are plenty of businesses that haven't. There was never any necessity to spy on your customers, and thus there obviously is also no necessity to get consent for the spying that you are not doing in the first place.


I have no idea what you are talking about.

This has nothing to do with spying or misreading customers.

As a customer, I want to know what data a service stores and how it is used, without digging through pages of cryptic terms and services.

Informed consent is the keyword here.

Plenty of paid services share their data with third parties.


> As a customer, I want to know what data a service stores and how it is used, without digging through pages of cryptic terms and services.

As a customer, I simply want my data to not be stored at all, unless I explicitly asked for it, in which case the consent is obviously implied.

> Plenty of paid services share their data with third parties.

And plenty of paid services don't. And those don't have to change anything. That's my point.


Consider a site that sells digital goods for download. They need to store information that provides evidence of your physical location, such as IP address [1], in order to satisfy tax authorities that they collected the right jurisdiction's VAT or sales tax.

I doubt that you are going to explicitly ask sites to store your IP address, so how do you think that should be handled?

[1] IP address alone doesn't prove location, but it is evidence. The EU, for example, for requires for internet sales that you justify your choice of whose VAT to collect by providing two non-contradictory pieces of evidence for the location you chose. IP address can be one of those pieces. Billing address of the card used for the purchase can be another, and for most people that and IP address is enough.


That is an entirely different matter than what this decision is about? I would think this probably doesn't even need explicit consent, as it is stored in order to fulfill a legal obligation that results from the sales contract.

Now, maybe it would be preferable to ask for permission in those cases as well (just put a checkbox in the order form?), but my point (though maybe not stated clearly enough) was not that I expect only data to be stored when I explicitly ask for it for be stored, but that it is only stored when I explicitly ask for something that necessarily requires the data to be stored. So, if I order some digital goods, it might be required that the shop stores my IP address, so that's probably OK. But my point is that that does not include the permission to use it for anything other than fulfilling the legal obligation, and most certainly not to also store my navigation behavior on their website, or to keep it once they don't need it for tax purposes anymore.


This sounds like a "legitimate interest"[1] and/or "legal obligation"[2], which is a lawful basis for processing personal data under the GDPR, even without explicit consent. Explicit consent only enters into the picture when no other lawful basis for processing personal data exists. You can find a full list of lawful bases at [3].

[1]: https://ico.org.uk/for-organisations/guide-to-data-protectio...

[2]: https://ico.org.uk/for-organisations/guide-to-data-protectio...

[3]: https://ico.org.uk/for-organisations/guide-to-data-protectio...


The CNIL has explicitly stated it is going after dark patterns, and blanket opt-in is one. The only real question was over standing, I.e. whether the Irish DPA has jurisdiction or not.

As for the amount of the fine, even if it is small in comparison with Google’s profits, it has to come from one employee’s budget. That one person will be strongly motivated to fix this.


The case has to be seen in the light of the complaint:

https://noyb.eu/wp-content/uploads/2018/05/complaint-android...

CNIL agreed with the Complainant


I feel like it's a little funny to complain about Google's GDPR violation while setting up a Huawei phone.


The data goes to Google. If there's evidence that Huawei phones spy on the user beyond that, submit it to CNIL?


The point is to make you stop collecting the data at all, not to make you wriggle and worm your way into continuing to spy on users.


These fines are really just a way for European govts to claw back money which they feel they are owed by American tech companies for being successful in European markets. In a global world, that's a wrong way to look at things. It is time to cut admin fat in EU govts and stop penalizing productive businesses.


The top of the CNIL site literally says:

> If you continue to browse this website, you accept third-party cookies used to offer you videos, social sharing buttons, contents from social platforms.

That looks like an illegal opt out. They should fine themselves :)


CNIL doesn't process any personal information when you're just visiting the website, so they don't need to ask for your consent. This is not a request for consent. This is like the older "Cookie Law" popup, where they give you the ability, if you shall choose, to refuse the social features so you're not loading third-party cookies.

Also, as the decision regarding Vectaury[0] shows, CNIL considers that it's up to every platform to explicitly ask for your consent before processing your personal information. So it'd be up to Facebook or Twitter to present you the opt-in feature, in case you're not connected to their platform yet.

CNIL does ask for your consent if you want to contact them and you're filling the contact form. They provide a link[1] to the complete list of required information : content stored, processes done, who will see the data, for how long, and who to contact to object.

[0] https://twitter.com/robinberjon/status/1063549722613432320

[1] https://www.cnil.fr/fr/donnees-personnelles/plaintes-en-lign... (in French)


If you look just to the right of that statement, there's a button labeled Personalize that lets you set which 3rd party services you consent to. Correct me if I'm wrong, but that appears compliant...


I'm not trying to bait a fight here, I'm genuinely curious. Why is that okay but the way google is doing it isn't?

From the linked article:

> The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions. For instance, this is the case when a user wants to have a complete information on his or her data collected for the personalization purposes or for the geo-tracking service.

How is that different than the banner on cnil.fr? When you click personalize, you are brought to a page where you have a list of services they share your information with. Clicking on "read more" for any of the video sites near the bottom shows a pretty nonsensical page [1] which tells you an "Activation rate" and how many cookies it sets (which in the case of the "facebook" option says "this service does not use cookie". Then clicking on the "view the official website" sends you to [2] which states how they use cookies.

I genuinely don't understand why they are allowed to put the information in a menu that is behind a "personalize" button in a menu, and then only explain how the data is shared by clicking on several other links to understand, but google is getting fined for doing what seems like the same thing.

Even if you click the "view the official website" for YouTube on the permissions screen on cnil.fr, you are sent to [3], which seems like a VERY comprehensive screen that details all the information they collect, what they do with it, and how to stop it.

And if Google or cnil.fr can't get this right, what hope do I have of getting it right?

[1] https://opt-out.ferank.eu/en/service/facebook/

[2] https://www.facebook.com/policies/cookies/

[3] https://policies.google.com/privacy?hl=en&gl=en


Because, to opt out for Google requires settings that are hard to find (and seem like they are intentionally hard to find) and set across multiple pages, where it is difficult to know that you have opted out of all data collection. Furthermore, with the distribution and obfuscation of the settings it is difficult for anyone to know how much data Google has, and one of the provisions of GDPR is that companies allow consumers to access their personal data. In this regard Google is even worse than Facebook. I expect that, if cnil.fr is compliant, then clicking deny all stops all data collection.


Citation needed. I just checked accounts.google.com > privacy settings and it seemed reasonable. I think having links for details made it much more clear than dumping everything together.


>it is difficult to know that you have opted out of all data collection.

So the issue is a lack of a single (or a very limited number of) "opt out of all data collection" button? I didn't know that was a requirement. How does that requirement interact with data which is required to run the business? Isn't the single "opt out" to delete or not create the account in question with Google?

>it is difficult for anyone to know how much data Google has, and one of the provisions of GDPR is that companies allow consumers to access their personal data.

Doesn't [1] show it pretty explicitly for Google?

It's not all on the same page, but it's not like it's all hidden or purposefully obfuscated. And I'm not sure how you would even fit it all on one page, it would be extremely hard to navigate if that were a requirement.

>I expect that, if cnil.fr is compliant, then clicking deny all stops all data collection.

And I would expect that if you don't check the "« I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy»" boxes that the article talks about, then Google will not collect any data on you, and I don't believe there is any evidence to the contrary.

The root of this seems to be that Google:

1. Doesn't tell the user well enough what their data is used for. I'm floored at the idea of this because Google has among the most comprehensive systems for explaining and controlling how your data is used within the company. This specifically terrifies me as Google is the standard that I'd hold any company i'm in to, as the way they show and explain how they use data is very understandable to me and many I've talked to about it. It almost seems like they will have to take a step backwards to become compliant and show a single page with a bunch of technical information on it that follows the letter of the law but in practice is useless for most people.

2. Is not getting informed consent from users on the data they do collect. And I genuinely don't understand why 2 checkboxes labeled "« I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy»" is not allowed, but a single "OK, accept all" on cnil.fr is allowed. Not to mention that the linked article specifically calls out that "it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, You tube, Google home, Google maps, Playstore, Google pictures…) and therefore of the amount of data processed and combined." But at the same time the link at [2] shows pretty explicitly where they get the data, where it's used, how it's used, and why, with plenty of links scattered throughout that take you to the page to limit that information gathering and delete information they already have.

[1] https://myaccount.google.com/

[2] https://safety.google/privacy/ads-and-data/


AFAIK active consent is required. Not clicking a button is not active consent.


Why can't we just set a single setting and have every website obey it?


It's called Do-Not-Track and was ignored...


If GDPR required websites to obey DNT would it still be ignored?


GDPR requires active consent (or so I have repeatedly seen on HN), and that was clearly ignored


Yeah, very true. :\


From what I understand, DNT is in fact shrined into law in the upcoming ePrivacy law though.


We had that in 2002, it was called P3P. Maybe it's time we came full circle...


We can set the single setting (Do not track), but websites can ignore it.


Why are third party cookies allowed at all?


I've had them disabled for years, and everything works fine.


So have I, but for some reason my browser cache is cluttered with 3rd party content I never asked for. The feature is evidently broken.


Turning-off third party cookies doesn’t prevent third-party images, CSS, JS, or fonts from being loaded. Your browser just doesn’t save or send cookies while doing so.

These third-party things should be in your cache.


I guess since they're imposing fines they must be a governmental agency of some sort, which means they have less requirements, and as others have pointed out they have the personalize button.


There are also two buttons next to it: "OK, accept all" and "Personalize". In "Personalize" you can allow/deny all and/or specific services.

You need to have Facebook enabled for instance if you want to use the Facebook sharing button at the bottom (same for Twitter).

And everything is disabled by default.

So it does seem like the correct way to do it.


Yeah... how does that work? Are they really this blind to what they themselves are doing?


Do you think whatever cookie they may set can be compared to the personal data google has on you?

The world isn't black and white.


They give you two buttons next to it, and one of them allows for opting out. Did they not render for you?


It says you accept the terms "if you continue to use this website". Before clicking any button, negative or affirmative. Not a lawyer but pretty sure that's against GDPR.


Does this mean that the consent Google has already obtained from users is invalid, and so they must request consent again in a GDPR-compliant manner?


Yes, as Google's argument was "...but we already got permission".

>The company GOOGLE states that it obtains the user’s consent to process data for ads personalization purposes. However, the restricted committee considers that the consent is not validly obtained for two reasons...


No, consents given BEFORE GDPR are considered valid. But, new google accounts are created everyday... and this apply to them


Have you read the part about consent given during account creation ?


Sorry for being unclear:

- for Google accounts created and Android smartphone configured before GDPR (25/5/2018), consent is considered valid under GDPR

- for Android smartphone configured AFTER 25/5/2018, the consent is considered invalid, whatever the Android version or the time that the phone is sitting on the shelf, or whether the Google account already exist or not.

- moreover the consent is invalid for the Google account creation during the android smartphone configuration

Google is fined "only" for what happen AFTER the GDPR (25/5/2018): android configuration and account creation.


It will be interesting to see how this plays out. Between the GPDR imposing costs on the advertising model and Google being pressured not to go into China, its more pressure on the top line of earnings.


Google would be fine, because Google's competitors (especially small ones) would suffer more than Google itself.

However EU users would suffer from GDPR fallout:

- Less services (due to lack of competition).

- Annoying cookies/privacy questions, force by GDPR.


Hope they go after one of the ”cookiebot”-type splash sites next. What I mean is those that only have ”consent” or “leave”.

It’s a clear violation of the GDPR and yet tons of sites do it.


Will going after those sites actually accomplish much?

They'll just add a third option, "pay", which lets you buy access without them storing personal information (other than information they need to recognize paid users, of course). Almost no one will actually pick the "pay" option, so for most practical purposes it effectively reduces to either "consent" or "leave".


I'd be perfectly happy to see what effectively is 3 optionsn "pay with money" "pay with info" or "leave". Whether or not people choose the same option anyway doesn't matter, it's now a much more informed choice than before as it's obvious how much your information is actually worth.

Also, sites that can't be bothered to set up premium/paid access mihgt do go the LA Times route and block access in Europe which I also think is completely OK.


50M EUR seems like a rounding error. Isn't Google earning over 30Bn USD per quarter?


Not if it's just profit from europe


Even then, if you assume Europe is somewhere between a 4th and a 3rd of their total revenue - which I'd expect it to be, given how the EU is a larger economy than the US and Google is even more dominant in Europe than in the US, and irrespective of ad budgets being traditionally lower than in the US - it seems tiny.


This is exceedingly petty even considering that the GDPR as a whole is a tool to subject US tech firms to a degree of scrutiny and control that would suffocate other industries and extract the occasional payout.

No one benefits from this, they just get shitty UX.


Its ironic that cnil has “accept all” as the default choice for 3rd party cookies on its site


Honestly, I think what they offer might be the best solution you can hope for: one button "I don't care", one button personalize and in it one button "disable all". People who don't care and just want the site to work aren't lost, people who care aren't lost, people who want to personnalize aren't lost. If you care, it's two click total to disable everything, and it's very easy to find (the bright right "deny").

Should they have "refuse all" along with "accept all" ? Yes.

Should "refuse all" be the default and thus features be disabled ? I'm not entirely sure (see what they list in the personnalize, it's youtube videos and twitter cards ...).

In terms of the intent of the law (give control to the user and make it easy to opt out), I would say they are doing fine. As opposed to all those shitty websites where you can't find how to disable, or you have to disable a bazillion things by hand.


Refuse all needs to be the default, because that is the law. Even when it comes to the intent of the law (which is to give control to the user and also not make lazy users "accidentally" give up all of their right to privacy) they are not doing fine. They're doing better than their peers, who have made even more malicious choice dialogs.


I agree as a matter of "how is the law written now", I was talking more of a "how I hope as a user that it could/will be".

If we go with everything off by default by law and try to apply it, we will end up with a broken web, meaning websites will not follow the law because it makes a stupid and not be punished for it because it's become the norm, just like the (bad) cookie law.

I'm ok with how it is on their site (based on how easy it is to disable, myself I disable all on such sites); it's quick with only 2 clics total, and it's easy to figure out with a clear color scheme and wording.

It's important to understand we make the law not for us tech users, but for everyone. Finding a solution that works for everyone and gives them what they want is important.


Why would we end up with a broken web?

Remember that consent is only needed if you can't rely on one of the other conditions for storing that data. If you are, say, selling a product, there's no need to ask for consent at all for using the customer's data to bill them and ship it. If the user changes some setting in your site, there's no need to ask for consent to store that preference.


Websites will learn to follow the law or they will die. And the web will be better off for it. Stacking dark patterns has been a thing for way too long, it is high time that movement dies.


Not only that, but you don't even need to click the 'accept' button, just navigate elsewhere on the site. What about screen readers or custom CSS? I doubt this is informed or specific consent.

Of course, these are different magnitudes of offences, but they do indicate how insidious and normalised are the patterns established by companies like Google, Facebook, Twitter and co.


Very few websites have implemented this properly, I think I've seen only 1-2 newspapers.

The rest either have an "accept all" or "pre-ticked accept" or a tiny, misleading "more options".


I think that the Cnil should lead by example and I suspect that a lot of people see the irony. If they show what can be done, or even better, open-source a working solution, that could disprove the “everyone does it” argument which… hasn’t exactly proven sturdy to even minimal ethical testing so far.


I lived in an asian city where private buses could be fined even if they have one person extra than total seating capacity. Meanwhile govt buses could be so over crowded that people can fall off the door and bus wouldn't stop over that incident.

So government and bureaucracies can be impervious to rules they expect everyone to follows. This site seems humongous fan of bureaucracy as long as it is european.


At least the "Cookies Management" panel is displayed promemently at the top of the page for pretty much every page of the site.


Ahh yes, the ole regulate everyone except ourselves trick


My understanding is that those cookies are covered by a separate ePrivacy rule that isn't fully finalized yet, not the GDPR.

But yeah, it's bad optics.


I really hate that if I start looking for bdsm stuff on Amazon I start having bdsm related ads everywhere. It's really uncomfortable when friends are shoulder surfing.


I don't know if this will help in your specific case, but Amazon has an advertising preferences section in your account settings, where you can opt to "Do not show me interest-based ads provided by Amazon".


The only ethical thing to do, is to block advertisement: https://github.com/gorhill/uBlock/



Just have 2 amazon accounts, SFW version and NSFW version


I guess that's why firefox containers are for, just don't forget to name it 'vintage-math-books'



I'm not surprised by this. It's pretty clear that having a pre-ticked checkbox is not allowed under GDPR. It's also against the intent of the law to require 6 clicks to deny consent but only 1 click to grant it.


What's not allowed is pre-checked opt-in. As France mentioned that's not the case for google. Only a default configuration is pre-checked. The opt-in is a separate immediately seen checkbox saying you agree to data usage for personalization etc. Along with a link explaining how to adjust.

Edit: I should say that this approach was deemed acceptable by Swedens dataskyddsmyndighet which is the government regulatory agency and is a common approach in many sites.


Perhaps I misunderstood and was relying too much on my memory of the Google UI when I was in the UK. Is there a youtube video or series of screenshots showing exactly how to grant or deny consent with Google?


Bless you


This is going to be one helluva ride; there's thousands of web site using the same kind of implementation, and a 50M fine does send quite a message.


> and a 50M fine does send quite a message.

Yes it sends the message that France is going to keep trying to attack google & facebook until they relent and exit Ireland


The CNIL is independent regulatory body, I'm doubt Google's tax situation was a big factor in the decision. Or are you arguing that they were unjustly fined for purely political reasons?


Yes I'm sure they are very independent and certainly aren't informed by the culture of political hatred for these companies. Even their personnel belay that thought. They state the first tests of this complaint were performed in Sept 2018.

There is no evidence that they worked constructively with google to resolve the technical and nuanced issue (a breach of predictably vague and complex laws).

This seems to specifically relate to "create account" on a reset android device when it gets to the google services section. That's a long walk for a short drink of water. Which version of android is not compliant? Is it universal?

In enforcing regulations changed just months before there has to be reasonableness. Issuing a EUR50m fine 2 months after discovering an edge case like this is not reasonable. Helping the company comply is the right behaviour. Then seek punitive measures if they fail to.

It states 10k people made a complaint about this. No they didn't. They even take a swipe at the Irish government in their release.

I'm all for bashing google and have numerous issues with them, but this is nonsense.

If you run a business and are not remotely concerned about the abuse of this legislation you have lost your mind


I have no idea if the CNIL acted also out of tax reasons, something which is hard to prove, but they haven't been exactly friendly to Google for the past decade.

Among other actions, they're the ones that have been taking Google all the way up to the EU Court of Justice to enforce worldwide the right to be forgotten. The advocate general just sided with Google less than two weeks ago, which makes for an interesting coincidence. They, and IFP in particular, have been itching in public interviews for the power to levy higher fines. Now they are simply following up on past statements.


CNIL itself has "pre-ticked" consent.


Cute observation, but the difference is Google gets consent for many different personal-data-collecting services without sufficient granularity in how it asks for the consent. And a myriad of other intertwined problems described at length in the fine article. The difference in nature was fundamental to their determination, as is well explained.


> Google gets consent for many different personal-data-collecting services without sufficient granularity in how it asks for the consent

If you click "OK, accept all" on the CNIL site, it looks like that enables integrations with Facebook, Twitter, Prezi, SlideShare, Vimeo, and YouTube. Doesn't seem granular at all.


I dunno, man. I read this stuff as France collecting taxes vindictively, while not really caring how the regulations play out in the larger ecosystem.

At some point French regulators we pushing for a rule that any processing of French citizens had to be done in France... Which is a great combination of untenable and an obvious jobs program.

Likewise, this comes across as incredibly arbitrary, with enforcement driven by fines rather than actual clear regulations. Non compliance on their own website just hammers it home.


>> At some point French regulators we pushing for a rule that any processing of French citizens had to be done in France... Which is a great combination of untenable and an obvious jobs program.

Why not, though? If Trump is promising the leave NATO without the military support from the US, then EU has every reason to create the laws that enforce that commitment.

The fact is that as of now, the larger ecosystem is not in a balanced state at all.


> a myriad of other intertwined problems described at length in the fine article

Then let's not make blanket statements about whether "pre-checked consent" is permissible or not.


As an European: <3 <3 <3

Also:

"This is the first time that the CNIL applies the new sanction limits provided by the GDPR."

I'm super happy the law is hopefully finally starting to get some teeth. I sincerely hope it gets successfully tested in court, and that lawyers will smell money in slamming down on companies trying to blatantly fake their way out of GDPR by cheating users into "accepting" the pre-GDPR status quo.


As a european i disagree. This is not a good ruling for anyone who has their business in europe. It reads petty and kinda-insane. And i just don't get the "suck it americans" kool-aid that the whole of the EU is into atm.


Google made $32.32 billion in Q4 2018.

That's $384.76 million per day.

Fines this small accomplish nothing.


I'd love the boss where an avoidable €50m loss isn't a big deal.


But the fine increases with non compliance up to 4% of their yearly revenue


Well then that's good, because this may as well be a verbal warning


I agree with you, I would also suggest, fines are a niggling mentality. A non serially compliant like google should have its financial holdings [all of them] taken into receivership, and appropriately docked until they comply or liquidate and cease operations. now there are some big pointy nasty teeth to have sink in to the bone


Revenue is the reward mechanism of capitalism; fines are great as long as they're big enough. I think the percentage route is the way to go.

Corporations make all their decisions based on risk/cost/reward; if it costs X to respect people's privacy, and it costs Y (via fines) to not respect people's privacy, you just have to balance that equation. Shareholders will do the rest.


yes revenue is the reward, however when a big bad kid uses his toys to assault anyone else in the sandbox we take those things away. the fines being levied are no where near enough to be punitive, and can be simply shrugged off as a cost of operation. If googles executive was relieved of thier positions even temporarily by a court appointed 3rd party for the purpose of remaking google in a compliant form, the problem would end dead stop.


"can be simply shrugged off as a cost of operation"

You clearly didn't read my last message very closely. The whole idea is that the fine needs to change the economics so that it's no longer a good business decision. A business is going to pick the path of least "cost of operation", so you make sure that those forces push it in the direction that's best for society.


you clearly underestimate the revenue of google. 57 million dollars is something google can shrug off as a cost of operation, attack the strongest point not the weakest point, and not the poster please review the HN guidelines.


"OK Google" ;-) Facebook, Amazon... please stay in line!!! :-D

I saw so many website, big or small, implementing the GDPR the easy way and call it a day... without any thinking or consideration for their users... that now everybody may gonna think twice ?

Google was an example, a message. That's why CNIL chose such a big player 1) it's to big to be really hurt by the fine 2) most other business - a lot smaller - will be frightened and will re-think their slacking approach It's a way to say "don't mess with us".

The funniest part is that usually the US administration try to help US business in such case. But I don't think that Trump administration - moreover during shutdown - will...


> That's why CNIL chose such a big player

FWIW, CNIL didn't choose a big player. They're responding to complaints advanced by the two associations mentioned in TFA, that is La Quadrature du Net and None Of Your Business.


What?

Of course they chose. They have received the same complaints about literally thousands of companies, and chose to advance these two first.

Regulators (no matter where) always make strategic decisions about who to prosecute and when. That's part of the job.

I'm not sure why we are trying to pretend they are robotic automatons who just process complaints exactly as received.


In interviews back before GDPR, the CNIL stated that, when the maximum fines allowed weren't enough, they saw the PR embarrassment of making their rulings public, which is not required, an even higher punishment for Google. So they have been making strategic decisions for a while.


You're right.

In fact, they could have choose Google, because they may act by their own without any complaint.

But they choose the amount ;-)


The EU is bringing a copyright law in soon, who knew the EU would be the one bringing down the internet


For Google, this is small. Remember when they had to pay US$500M to the US DOJ for knowingly assisting in pushing drugs?[1]

[1] https://www.wired.com/2013/05/google-pharma-whitaker-sting/


> On 25 and 28 May 2018, the National Data Protection Commission (CNIL) received group complaints from the associations None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”).

As corporations become greedier, people more privacy-aware, and leaked data more abused by criminals, I think it's only a matter of time before Max Schrems (guy behind noyb and the fall of EU-US Safe Harbor agreement) is named Time's Person of the Year.


> the economic model of the company is partly based on the ads personalization. Therefore, it is of its utmost responsibility to comply with the obligations on the matter.

"Therefore" reasoning works in the opposite direction than CNIL bureaucrats claim.

If Google is known for ads personalization, then:

1) Users who decided using Google services should imply that Google will try to personalize their ads by default.

2) In order to "comply with obligation" to deliver ads personalization, Google should turn on "ads personalization" by default.


> If Google is known for ads personalization...

If you ask 100 random people what is Google for, how many people do you think will answer "ads personalization"? My prediction is "close to 0%".

Google's "About" page states: "Our mission is to organise the world’s information and make it universally accessible and useful". No mention of personalization involved.

Therefore, Google is NOT known for ads personalization.


A correct question to "100 random people" would be "Does Google do ads personalization".

My guess is that 70 people would not even know what "ads personalization" is.

Out of remaining 30 people, 28 would correctly claim that Google does ads personalization.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: