de en
Nexia Ebner Stolz

Legal Advice

GDPR: France imposes million-euro fine on Google

On 21 Ja­nu­ary 2019, the French data pro­tec­tion aut­ho­rity CNIL fi­ned Google €50 mil­lion for vio­la­ting the Ge­ne­ral Data Pro­tec­tion Re­gu­la­tion (GDPR). The CNIL is the first Eu­ro­pean re­gu­la­tor to pu­nish a glo­bal In­ter­net com­pany in con­nec­tion with the GDPR.

The de­ci­sion is ba­sed on the com­plaints fi­led by two as­so­cia­ti­ons on 25 May and 28 May 2018, re­spec­tively. The as­so­cia­ti­ons "None of Your Busi­ness" (NOYB) and "La Qua­dra­ture du Net" (LQDN) clai­med two ty­pes of vio­la­ti­ons of the GDPR. The claims re­la­ted to the crea­tion of a Google ac­count on an An­droid smart­phone.

GDPR: France imposes million-euro fine on Google© Thinkstock

The CNIL com­plains that Google vio­la­ted its trans­pa­rency and in­for­ma­tion ob­li­ga­ti­ons by fai­ling to make the in­for­ma­tion pro­vi­ded by Google ea­sily ac­ces­si­ble to users. Spe­ci­fi­cally, the CNIL claims that "es­sen­tial in­for­ma­tion," such as in­for­ma­tion on the pur­po­ses of the data pro­ces­sing and the du­ra­tion of data sto­rage, is spread over se­veral do­cu­ments. This re­qui­res users to click on but­tons and links to ob­tain ad­di­tio­nal in­for­ma­tion. Ul­ti­mately, five to six steps are ne­cessary to ob­tain the in­for­ma­tion.

The CNIL also cri­ti­ci­zes the fact that the wording of some of the in­for­ma­tion is un­clear. Users are not in a po­si­tion to fully un­der­stand the ex­tent of Google's pro­ces­sing ope­ra­ti­ons. The­re­fore, Google does not have a va­lid cons­ent from the users and thus lacks the le­gal ba­sis to dis­play per­so­na­li­zed ads to them. Users do not see any in­for­ma­tion as to how many Google ser­vices are af­fec­ted by their cons­ent to the pro­ces­sing of data for the per­so­na­liza­tion of ad­ver­ti­se­ments. They are not suf­fi­ci­ently in­for­med about how many Google ser­vices their cons­ent re­la­tes to. The­re­fore, the cons­ent ob­tai­ned from users when they re­gis­ter a Google ac­count is neit­her spe­ci­fic nor unam­bi­guous. This led the CNIL to de­clare that the cons­ent ob­tai­ned by Google to the dis­play of per­so­na­li­zed ad­ver­ti­se­ments was in­va­lid.

Un­der the GDPR, com­pa­nies may be fi­ned up to four per­cent of their con­so­li­da­ted an­nual re­ve­nues for the pre­vious fis­cal year. In this spe­ci­fic case, the €50 mil­lion fine was ba­sed on the se­ve­rity of the vio­la­tion of fun­da­men­tal prin­ci­ples of the GDPR, in­clu­ding trans­pa­rency, in­for­ma­tion and cons­ent. Mo­re­over, the vio­la­ti­ons are not one-off or li­mited in time. Google has an­noun­ced its in­ten­tion to ap­peal.


This is the first pe­nalty of this size im­po­sed by a Eu­ro­pean data pro­tec­tion aut­ho­rity. Thus far in Ger­many, the fi­nes im­po­sed by the data pro­tec­tion aut­ho­ri­ties of the Bun­desländer have only been in the five fi­gu­res. It is to be fea­red that pres­sure on the Ger­man aut­ho­ri­ties to suf­fi­ci­ently as­sess the scope of the vio­la­ti­ons and the im­port­ance of the com­pa­nies in their dis­cre­tio­nary de­ci­si­ons will in­crease.

The de­ci­sion ma­kes it clear that in­for­ma­tion ob­li­ga­ti­ons should be ta­ken very se­riously, es­pe­cially in con­nec­tion with cons­ent. In par­ti­cu­lar, com­pa­nies that, like Google, pro­cess a lot of per­so­nal data, or base their busi­ness mo­dels on per­so­na­li­zed ad­ver­ti­sing and are re­le­vant to the mar­ket should re­view their pro­ces­ses against the back­ground of the cri­te­ria for­mu­la­ted by the CNIL. This also ap­plies to com­pa­nies whose busi­ness mo­del does not fo­cus on data pro­ces­sing. It is li­kely that other Eu­ro­pean data pro­tec­tion aut­ho­ri­ties will take the CNIL's ana­ly­sis as an op­por­tu­nity to per­form their own re­views. It should be no­ted that the aut­ho­ri­ties can in­itiate a re­view on their own in­itia­tive, wi­thout a prior com­plaint.

back to top