French regulators say Google failed to disclose how user data is collected and stored.
France's Commission nationale de l'informatique et des libertés (CNIL) has fined Google €57 million under the EU General Data Protection Regulation (GDPR), which came into effect in 2018.
CNIL, in charge of data privacy in France, says Google failed to fully disclose how personal information from users is collected and ultimately what happens to it. Google, according to reports, also did not obtain user consent to display advertisement personalized by the search engine. CNIL said[1]:
"The infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations."
One of the issues identified by CNIL is that user information and permissions are "excessively disseminated across several documents."
The investigation into Google began at the same time GDPR was passed into law, when concerns were raised by privacy groups representing 10,000 individuals.
Google has responded by saying it is "studying the decision" before taking steps, and that "[p]eople expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of the GDPR."
For Google, CNIL's current case is about the clarity of data use and permissions. Blockchain technology may pose both a solution for GDPR[2] – in the form of permission transparency – and a challenge, as blockchain networks can disseminate data freely across geographical borders.
Blockchain's ability to provide an immutable record, accessed in real time by any approved stakeholder, could pave the way for technology users to control all their accounts and privacy settings in a single place, only sharing the information
