On January 21, 2019, France’s data-privacy agency, the National Data Protection Commission (CNIL) fined a large American technology company €50 million, or roughly $57 million USD, for violations of the European Union’s new General Data Protection Regulation. This is the first time a U.S.-based company has faced a significant fine for violating the new European data privacy regime.
The CNIL found that the technology company failed to properly disclose to users how their data was collected and how it was used. For instance, the company did not include the purposes behind processing data; data storage periods; or what data categories were used for ad personalization. It further found that the technology company did not properly obtain consent for showing consumers personalized ads. The company’s website does not distinguish or delineate its plurality of services, making it difficult for the consumer to discern the amount of data collected and processed. The technology company also required users to opt out of personalized ads, instead of requiring them to affirmatively choose to receive such ads.
The CNIL arrived on the penalty based on the severity of the violations, which it considered violative of essential principals of the regulation regarding transparency, information, and consent. It also considered the continuous nature of the breach, and the importance and prominence of the technology company in the French consumer market.