In the same way as users had to choose the option ‘Accept’, Google now has to accept and pay the substantial fine imposed upon them, for violating the policy which they themselves provided and explained to users. The regulation which controls personal data protection in detail is widely known. The regulation in question is the one adopted by the European Union, i.e. the GDPR (General Data Privacy Regulation). The aim of this regulation is to provide internet users with a broad spectrum of rights whilst browsing the internet, and to fine the companies which violate said regulations. Google LLC and Google Ireland know what it feels like to be fined, after the decision made on December 7th, 2020. French authorities for data protection (CNIL), based on the proof they have found, concluded that the aforementioned company had violated the provisions of the regulation, and thus, without any basis, unlawfully collected the personal data of users, causing intangible damages.
This is not the first time that Google has been fined due to violating personal data protection regulations. Namely, France had noticed the violation of GDPR provisions the first time it had occurred. Back then, the oversight was also related to informing the user about the data being collected for the purpose of personalized ads. It seems that Google had no intention of changing their cookies, up till the decision made by CNIL, although these cookies cause damage to end-users, who do not feel secure while using this internet browser.
As previously mentioned, it is necessary to provide users with a possibility to understand the cookies that will be active during their internet search process.
In the decision made on December 7, the French authorities state that Google had no intention of respecting such procedures, thus violating the rules. CNIL has announced that on March 16, 2020, they have concluded in-depth processing of google.fr, and have found that there had been a substantial violation, since a number of cookies, mostly for ad-tracking purposes, have been placed into the user’s device, without their knowledge and the possibility of activating the cookies knowingly.
When one takes into account the GDPR regulations, and the investigation of the French authorities, it is clear that there a violation of the EU regulation has occurred. It must be noted that the ad-tracking cookies which were active without the user’s consent, are not strictly necessary cookies. The only basis for such a cookie, which collects essential data of individuals who share their information, and trust the companies that provide internet services, is the user’s consent. Without consent, ad-tracking cookies, shall not and cannot be activated ‘in secret’. The only cookies which can be active without consent, and the end-user’s acceptance are strictly necessary cookies. However, it seems that Google LLC and Google Ireland do not share the legislator’s views.
The second argument confirming Google’s responsibility in this act is the fact that the banner consisted of 2 possibilities (the banner, following the rules prescribed by laws and regulations on the national and international level, has to include full information on cookies that are collected on the said page or browser): ‘Remind me later’ and ‘Access now’. At first glance, it seems that there aren’t any anomalies in these options. However, after clicking on either of these options on the banner, it is clear that they offer no explanation regarding the automatic setting of cookies on the user’s device. By extension, the users were not obliged to, nor could they in any way know, what is on their device, and how it got there.
The last argument of the French authorities was the fact that the option to deactivate the ad-tracking cookies did exist by simply clicking the button ‘Consult now’, however, as soon as the user would click there, the ad-tracking cookies did not disappear, but remained active and were collecting information, even though the user had decided to deactivate them.
Based on these arguments, and the final conclusion, Google LLC was fined 60 million euros, and Google Ireland 40 million euros, because they have wrongfully collected the user’s data. This kind of decision can serve as a precaution, as an obvious example to all those who have thought about collecting a bit of data ‘in secret’.
Serbia does not lag with regulating this issue at the European and global level. The Law on Personal Data Protection prescribes the possibility of imposing a fine, from 50,000 dinars, up to 2 million dinars for a single violation and damage to the user’s rights.
One of the things which have a great consequence for those in the e-commerce business is their reputation. Besides paying a huge fine, a company can lose its clients, due to the unlawful collection of their personal data.