Today, the French data regulation agency, Commission nationale de l'informatique et des libertés, (CNIL), fined Google €50 million for violating the GDPR. See the decision posted here. The fine relates to Google's collection of data used to personalize advertisements.

The decision found that Google's policy for collecting personal data was not sufficiently transparent. A user of its services would have to take 5 or 6 actions in order to get a complete description of how his or her data would be processed.

Consent was ruled not to be valid when information about how data would be used for personalizing advertisements could only be located in several different documents. CNIL also faulted Google for pre-selecting the option to consent to the data collection.

The regulator ruled that the GDPR requires specific consent for each purpose to which an individual's data is to be used. In assessing the €50 million fine, the CNIL emphasized the importance of the fact that Google's practices have been ongoing for a long period of time (rather than being an isolated incident), and the large amount of data collected by Google. The official statement of the CNIL about the decision states that, ". . . given the dominance of the Android operating system on the French market, every day thousands of French people create GOOGLE accounts when using their smartphones. Similarly, this review takes into account that the company's economic model is partly based on the personalization of advertising. A special responsibility therefore falls on it to comply with its obligations in this area."