Out-Law News 2 min. read
10 Jan 2014, 9:35 am
The Commission Nationale de l’information et des Liberties (CNIL) said the penalty, which amounts to the maximum it can serve to first time offenders under French data protection rules, was the highest it has ever issued. The penalty, imposed in an order it sent to Google on 3 January (29-page / 1.65MB PDF), was "justified by the number and the seriousness of the breaches stated in the case", it said.
CNIL also told Google to publish, for a period of 48 hours, a copy of the order on its website in France within eight days from the 3 January.
"This publicity measure is justified by the extent of Google’s data collection, as well as by the necessity to inform the persons concerned who are not in a capacity to exercise their rights," it said.
In March 2012 Google replaced over 60 existing privacy policies, covering services such as YouTube and Gmail, with one single all-encompassing policy covering the collection of personal data across all its services. The changes drew criticism from privacy campaigners and led EU privacy watchdogs represented in the Article 29 Working Party to appoint the French DPA, the Commission Nationale de l’information et des Liberties (CNIL), to assess the single policy's compliance with EU data protection laws.
CNIL asked Google to take action to account for its concerns, but reported last year that the company had not done so to its satisfaction. In April 2013 CNIL announced that it, the UK's Information Commissioner's Office (ICO), and watchdogs in Germany, Italy, Spain and the Netherlands had formed a taskforce and agreed to pursue the possibility of separately levying penalties on Google for allegedly acting in breach of EU data protection laws.
CNIL said that the way Google implements its privacy policy runs contrary to "several legal requirements".
"The company does not sufficiently inform its users of the conditions in which their personal data are processed, nor of the purposes of this processing," CNIL said in a statement. "They may therefore neither understand the purposes for which their data are collected, which are not specific as the law requires, nor the ambit of the data collected through the different services concerned. Consequently, they are not able to exercise their rights, in particular their right of access, objection or deletion."
"The company does not comply with its obligation to obtain user consent prior to the storage of cookies on their terminals. It fails to define retention periods applicable to the data which it processes. Finally, it permits itself to combine all the data it collects about its users across all of its services without any legal basis," it added.
Paris-based data protection law expert Morgane Kauffmann of Pinsent Masons, the law firm behind Out-Law.com, said that even though the €150,000 penalty does pale in comparison to the quarterly global turnover of around $15 billion the company generates, it is the maximum fine that could have been served by CNIL's Sanctions Committee.
Kauffmann said that CNIL president, Isabelle Falque-Pierrotin, acknowledged in an interview with a French radio station that the penalties CNIL can impose are currently limited and said she would like greater powers to levy larger fines in the future.
Under plans to reform EU data protection laws that have been backed by a committee of MEPs, businesses operating within the EU could face fines of up to 5% of their annual global turnover, or €100 million if greater, if they breach the new General Data Protection Regulation that is in the process of being created.
Last month Spain's data protection authority fined Google a total of €900,000 after finding similar failings with regards Google's privacy policy compliance with Spanish data protection laws.
In a report released in late November last year the Dutch watchdog also found that Google breached Dutch data protection laws in the way it implemented its new privacy policy. It has said it would wait for Google to respond to its findings before deciding whether to impose sanctions.
