France’s top administrative court upheld a 50 million-euro fine (an equivalent of $56 million) imposed last year on Alphabet’s Google for breaching European Union online privacy rules, it said on Friday.
Although representing a tiny fraction of Google’s financial resources, the penalty sent ripples through Silicon Valley and is still the biggest fine imposed for such a breach.
A spokeswoman for Google said in a written statement on Friday Google would review possible changes.
“People expect to understand and control how their data is used, and we’ve invested in industry-leading tools that help them do both,” the statement said.
“This case was not about whether consent is needed for personalised advertising, but about how exactly it should be obtained. In light of this decision, we will now review what changes we need to make.”
The French regulator CNIL in January last year found the world’s biggest search engine lacked transparency and clarity in the way it informs users about its handling of personal data and failed to properly obtain their consent for personalised ads.
Its decision relied on the European Union’s General Data Protection Regulation (GDPR), the biggest shake-up of data privacy laws in more than two decades, which came into force in 2018.
It allows users to better control their personal data and gives regulators the power to impose fines of up to 4 percent of global revenue for violations.
France’s supreme administrative court, the Council of State, on Friday confirmed the CNIL’s reading of the case.
“(The court) also notes that the information available is sometimes incomplete, in particular regarding the data retention period and the purposes of the various processing operations carried out by Google,” it said.