GDPR: France imposes million-euro fine on Google

The deci­sion is based on the com­p­laints filed by two asso­cia­ti­ons on 25 May and 28 May 2018, respec­ti­vely. The asso­cia­ti­ons "None of Your Busi­ness" (NOYB) and "La Quad­ra­ture du Net" (LQDN) clai­med two types of vio­la­ti­ons of the GDPR. The claims rela­ted to the crea­tion of a Google acco­unt on an And­roid smart­phone.

The CNIL com­p­lains that Google vio­la­ted its tran­s­pa­rency and infor­ma­tion obli­ga­ti­ons by fai­ling to make the infor­ma­tion pro­vi­ded by Google easily acces­si­ble to users. Spe­ci­fi­cally, the CNIL claims that "essen­tial infor­ma­tion," such as infor­ma­tion on the pur­po­ses of the data pro­ces­sing and the dura­tion of data sto­rage, is spread over several docu­ments. This requi­res users to click on but­tons and links to obtain addi­tio­nal infor­ma­tion. Ulti­ma­tely, five to six steps are necessary to obtain the infor­ma­tion.

The CNIL also criti­ci­zes the fact that the wor­ding of some of the infor­ma­tion is unc­lear. Users are not in a posi­tion to fully under­stand the extent of Google's pro­ces­sing ope­ra­ti­ons. The­re­fore, Google does not have a valid con­sent from the users and thus lacks the legal basis to dis­play per­so­na­li­zed ads to them. Users do not see any infor­ma­tion as to how many Google ser­vices are affec­ted by their con­sent to the pro­ces­sing of data for the per­so­na­liza­tion of adver­ti­se­ments. They are not suf­fi­ci­ently infor­med about how many Google ser­vices their con­sent rela­tes to. The­re­fore, the con­sent obtai­ned from users when they regis­ter a Google acco­unt is neit­her spe­ci­fic nor unam­bi­guous. This led the CNIL to declare that the con­sent obtai­ned by Google to the dis­play of per­so­na­li­zed adver­ti­se­ments was inva­lid.

Under the GDPR, com­pa­nies may be fined up to four per­cent of their con­so­li­da­ted annual reve­nues for the pre­vious fis­cal year. In this spe­ci­fic case, the €50 mil­lion fine was based on the seve­rity of the vio­la­tion of fun­da­men­tal prin­ci­p­les of the GDPR, inclu­ding tran­s­pa­rency, infor­ma­tion and con­sent. More­o­ver, the vio­la­ti­ons are not one-off or limi­ted in time. Google has announ­ced its inten­tion to appeal.

Note

This is the first pen­alty of this size impo­sed by a Euro­pean data pro­tec­tion aut­ho­rity. Thus far in Ger­many, the fines impo­sed by the data pro­tec­tion aut­ho­ri­ties of the Bun­des­län­der have only been in the five figu­res. It is to be fea­red that pres­sure on the Ger­man aut­ho­ri­ties to suf­fi­ci­ently assess the scope of the vio­la­ti­ons and the import­ance of the com­pa­nies in their disc­re­tionary deci­si­ons will inc­rease.

The deci­sion makes it clear that infor­ma­tion obli­ga­ti­ons should be taken very seriously, espe­cially in connec­tion with con­sent. In parti­cu­lar, com­pa­nies that, like Google, pro­cess a lot of per­so­nal data, or base their busi­ness models on per­so­na­li­zed adver­ti­sing and are rele­vant to the mar­ket should review their pro­ces­ses against the back­ground of the cri­te­ria for­mu­la­ted by the CNIL. This also app­lies to com­pa­nies whose busi­ness model does not focus on data pro­ces­sing. It is likely that other Euro­pean data pro­tec­tion aut­ho­ri­ties will take the CNIL's ana­ly­sis as an oppor­tunity to per­form their own reviews. It should be noted that the aut­ho­ri­ties can ini­tiate a review on their own ini­tia­tive, wit­hout a prior com­p­laint.