PARIS — France's highest administrative court has upheld a fine of 50 million euros ($56 million) Google was ordered to pay for not being “sufficiently clear and transparent” with Android users about their data protection options.
Google was first slapped with the fine in January 2019, the first penalty for a U.S. tech giant under new European data privacy rules that took effect in 2018.
Google appealed the penalty issued by the French data privacy watchdog to the Council of State, France's final arbiter in such cases.
The council ruled Friday that the National Data Protection Commission had the right to sanction Google and that the fine was not disproportionate, “given the particular seriousness" and duration of Google's failings.
In force since May 2018, the European Union’s General Data Protection Regulation, or GDPR, is aimed at clarifying individual rights to personal data collected by companies. It requires companies to use plain language to explain what they’re doing with data.
In sanctioning Google, France’s data watchdog had said Google users were “not sufficiently informed” about what they were agreeing to as the company collected data for targeted advertisements.
It faulted Google for making users take too many steps, “sometimes up to 5 or 6 actions,” to find out how and why their data is being used and for being “too generic and vague” in descriptions of why data is processed.
The Council of State concurred and faulted Google for "particularly intrusive” data collection methods.
It said the firm “has not provided sufficiently clear and transparent information to users of the Android operating system and has not enabled them to give free and informed consent to the processing of their personal data for the purpose of personalizing advertisements.”