LONDON – After European policymakers adopted a sweeping data privacy law last year, the big question was how regulators would use their newfound authority against the most powerful technology companies.
In the first major example, the French data protection authority announced Monday that it had fined Google $57 million for not properly disclosing to users how data is collected across its services — including its search engine, Google Maps and YouTube — to present personalized advertisements.
The penalty is the largest to date under the European Union privacy law, known as the General Data Protection Regulation, which took effect in May, and shows that regulators are following through on a pledge to use the rules to push back against internet companies whose businesses depend on collecting data. Facebook is also a subject of several investigations by data protection authorities in Europe.
The ruling signals a new phase in enforcing the European law, which the region’s lawmakers and privacy groups have cheered as a check against the growing power of technology companies, while for general consumers it has led mostly to a frustrating increase in the number of consent boxes to click. The fine against Google is just the fourth penalty against any company since the law took effect.
Europe’s experience is being closely watched by policymakers in the United States, who are considering a new federal privacy law. Tim Cook, Apple’s chief executive, last week called for new rules that closely follow Europe’s.
Europe has become the world’s most aggressive tech watchdog. In addition to the privacy rules, the region’s regulators have set the bar with stricter enforcement of antitrust laws against Google and other tech behemoths and taken a tougher stance against the industry’s tax policies. Google, a frequent target, was fined a record 4.3 billion euros last year for abusing its power in the mobile phone market.
The ruling Monday takes aim at Google’s business model, which uses data collected from users to narrowly target ads.
A central element of Europe’s new regulations is that companies must clearly explain how data is collected and used. France’s data protection regulator, known as CNIL, said Google did not go far enough to get consent from users before processing data. Instead, it said, people are largely unaware of the data they are agreeing to share, or how Google plans to use the information.
In a statement, the regulator said Google’s practices obscured how its services “can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations.”
Google’s size — it has about 20 different services — makes its data-collection practices “particularly massive and intrusive,” French authorities said.
Google defended its policies and said it was determining whether to appeal.
“People expect high standards of transparency and control from us,” a Google spokesman said. “We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”
The case against Google stemmed from a complaint filed by privacy groups that accused the search giant of not properly adjusting its data-collection practices to account for Europe’s stricter privacy rules.