On 21 January 2019, France’s data protection regulator, the CNIL, imposed a fine on Google LLC of 50 million euros (approximately £44 million) for breaches of the General Data Protection Regulation (the GDPR) – the European data protection law that came into force on 25 May 2018.
This the first fine imposed by the CNIL for violations of the GDPR and it resulted out of group complaints initiated by two group campaigning organisations – “None Of Your Business” and “La Quadrature du Net”. Following investigations into the complaints, the CNIL found that Google had breached two requirements of the GDPR:
1. Articles 12 and 13 of the GDPR – Breach of transparency and information obligations.
Google was not transparent over how it collected and used personal data. Its privacy notice was not accessible (information was spread across many web pages), it did not contain all the required information and the general form and structure was non-compliant. This meant that users could not understand how their personal data would be processed by Google.
2. Article 6 - Failure to provide a legal basis for the processing of personal data for ads personalisation purposes
Google relied on consent as its legal basis for processing personal data for ad personalisation. However the CNIL found that consent was not properly obtained because it did not meet the GDPR standard of being “specific” and “unambiguous”. Additionally in view of the fact that Google was in violation of its transparency requirements, the CNIL found that the consent was also not “informed” – another GDPR requirement.
While the fine is far below the maximum 4% of total global turnover that the CNIL could have imposed under the GDPR, it is a record data protection penalty, and hits at Google’s targeted advertisement business model.
This is the third fine the CNIL has levied against Google and comes only a month after the Italian competition regulator fined Facebook 10 million euros for misleading users over how it used their data. These fines demonstrate that regulators are not afraid of flexing their enforcement and fining abilities and will find the lack of transparency (where there is extensive processing and number of individuals affected) to be a substantial infringement – a challenge for both Google and other tech giants.
The CNIL fine notice against Google can be accessed here.
Shehana Cameron Perera, Solicitor
Tim Ryan, Partner