CNIL issues record GDPR fine

Out-Law News | 22 Jan 2019 | 10:22 am | 2 min. read

Google LLC has been fined €50 million after a French watchdog determined that the company failed to comply with EU data protection laws.

The penalty was imposed by the Commission Nationale de l’information et des Liberties (CNIL) under the General Data Protection Regulation (GDPR).

The decision, which Google has said it will analyse, centres on the information Google has provided to users in France over how it uses their data, and its legal basis for processing the information, in the context of personalised advertising.

According to CNIL, Google has not clearly explained to its users in France why it processes their data, the length of time it stores the data for, or the categories of data it uses to personalise adverts. It said that while Google has set out this information, it is "excessively scattered throughout several documents" and requires users to sometimes click on additional buttons or links to find the relevant information.

Even where the information is available it is "not always clear and comprehensible", and the purposes for processing data that the company has set out are "described too generically and vaguely", it said.

CNIL said Google had also not made it sufficiently clear to users where it is relying on their consent to process personal data for the purpose of personalising ads. It said consent obtained from users is not sufficiently informed, specific enough or unambiguous, as required by the GDPR.

The watchdog said it had taken into account the information Google provides to users in relation to their privacy, and the configuration tools it makes available to users to allow them to control how their data is used.

"Despite the measures implemented … the deficiencies found deprive users of fundamental guarantees concerning treatments that can reveal whole areas of their privacy," CNIL said. It pointed to the volume of data collected, the wide variety of services from where data is sourced, and the possibility to combine the data from these services as the reason for this.

CNIL said it had issued the penalty after considering complaints raised by privacy group None of Your Business (NOYB) and digital rights campaigners La Quadrature du Net (LQDN). 

In a statement, a spokesperson for Google said: "People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps."

It is possible that Google's next step could be to lodge an appeal against the decision taken by CNIL.

This latest decision can be seen in the context of a number of ongoing differences between the French watchdog and Google. Earlier this month, an advocate general at the Court of Justice of the EU (CJEU) issued two non-binding opinions in cases that concern findings that CNIL has made in respect of Google's obligations in online search. In one of the cases, the advocate general said he did not support CNIL's view on the geographic scope of the 'right to be forgotten', and endorsed Google's approach to geoblocking in Europe only.

In December, Google notified users in the EU that as of 22 January the services it provides would be provided by Google Ireland Ltd. The move is a signal of the company's intention to select its Irish business as its main establishment in Europe for the purposes of the GDPR.