Google appeals against fine imposed by French privacy watchdog

Out-Law News | 16 Jan 2014 | 2:02 pm | 2 min. read

Google has lodged an appeal against sanctions recently imposed on it by the French data protection authority.

Earlier this month the Commission Nationale de l’information et des Liberties (CNIL) served Google with a €150,000 fine after identifying a number of failings with the company's privacy policy and its compliance with French data protection rules. The fine is the maximum amount CNIL can impose on a first time offender under the rules.

The watchdog also ordered Google to publish, for a period of 48 hours, a copy of the order outlining its concerns on its website in France within eight days from the date of the order on 3 January.

However, French newspaper Le Figaro has reported that Google has launched an appeal against the sanctions imposed by CNIL in its order. The effect of the appeal is to suspend the sanctions, including the obligations facing the company to publish CNIL's notice, according to an automated translation of the report. The appeals body, the Council of State, could issue a ruling on the case as early as next week, it said.

Google has argued that French data protection rules are unenforceable in the case and has challenged CNIL's right to impose penalties on it, according to the Le Figaro report.

In a statement issued to Out-Law.com by the internet giant, Google said: "We've engaged fully with the CNIL throughout this process to explain our privacy policy and how it allows us to create simpler, more effective services. We’re now appealing their decision."

In March 2012 Google replaced over 60 existing privacy policies, covering services such as YouTube and Gmail, with one single all-encompassing policy covering the collection of personal data across all its services. The changes drew criticism from privacy campaigners and led EU privacy watchdogs represented in the Article 29 Working Party to appoint CNIL to assess the single policy's compliance with EU data protection laws.

CNIL asked Google to take action to account for its concerns, but reported last year that the company had not done so to its satisfaction. In April 2013 CNIL announced that it, the UK's Information Commissioner's Office (ICO), and watchdogs in Germany, Italy, Spain and the Netherlands had formed a taskforce and agreed to pursue the possibility of separately levying penalties on Google for allegedly acting in breach of EU data protection laws.

In a statement issued earlier this month which announced the imposition of sanctions against Google, CNIL said that the way Google implements its privacy policy runs contrary to "several legal requirements".

"The company does not sufficiently inform its users of the conditions in which their personal data are processed, nor of the purposes of this processing," CNIL said. "They may therefore neither understand the purposes for which their data are collected, which are not specific as the law requires, nor the ambit of the data collected through the different services concerned. Consequently, they are not able to exercise their rights, in particular their right of access, objection or deletion."

"The company does not comply with its obligation to obtain user consent prior to the storage of cookies on their terminals. It fails to define retention periods applicable to the data which it processes. Finally, it permits itself to combine all the data it collects about its users across all of its services without any legal basis," it added.

Last month Spain's data protection authority fined Google a total of €900,000 after finding similar failings with regards Google's privacy policy compliance with Spanish data protection laws.

In a report released in late November last year the Dutch watchdog also found that Google breached Dutch data protection laws in the way it implemented its new privacy policy. It has said it would wait for Google to respond to its findings before deciding whether to impose sanctions.