The decision is based on the complaints filed by two associations on 25 May and 28 May 2018, respectively. The associations "None of Your Business" (NOYB) and "La Quadrature du Net" (LQDN) claimed two types of violations of the GDPR. The claims related to the creation of a Google account on an Android smartphone.
The CNIL complains that Google violated its transparency and information obligations by failing to make the information provided by Google easily accessible to users. Specifically, the CNIL claims that "essential information," such as information on the purposes of the data processing and the duration of data storage, is spread over several documents. This requires users to click on buttons and links to obtain additional information. Ultimately, five to six steps are necessary to obtain the information.
The CNIL also criticizes the fact that the wording of some of the information is unclear. Users are not in a position to fully understand the extent of Google's processing operations. Therefore, Google does not have a valid consent from the users and thus lacks the legal basis to display personalized ads to them. Users do not see any information as to how many Google services are affected by their consent to the processing of data for the personalization of advertisements. They are not sufficiently informed about how many Google services their consent relates to. Therefore, the consent obtained from users when they register a Google account is neither specific nor unambiguous. This led the CNIL to declare that the consent obtained by Google to the display of personalized advertisements was invalid.
Under the GDPR, companies may be fined up to four percent of their consolidated annual revenues for the previous fiscal year. In this specific case, the €50 million fine was based on the severity of the violation of fundamental principles of the GDPR, including transparency, information and consent. Moreover, the violations are not one-off or limited in time. Google has announced its intention to appeal.
This is the first penalty of this size imposed by a European data protection authority. Thus far in Germany, the fines imposed by the data protection authorities of the Bundesländer have only been in the five figures. It is to be feared that pressure on the German authorities to sufficiently assess the scope of the violations and the importance of the companies in their discretionary decisions will increase.
The decision makes it clear that information obligations should be taken very seriously, especially in connection with consent. In particular, companies that, like Google, process a lot of personal data, or base their business models on personalized advertising and are relevant to the market should review their processes against the background of the criteria formulated by the CNIL. This also applies to companies whose business model does not focus on data processing. It is likely that other European data protection authorities will take the CNIL's analysis as an opportunity to perform their own reviews. It should be noted that the authorities can initiate a review on their own initiative, without a prior complaint.