TR Daily France’s CNIL Fines Google 50M Euro for GDPR Violations
Tuesday, January 22, 2019

France’s CNIL Fines Google 50M Euro for GDPR Violations

In its first imposition of new financial sanction limits under the European Union’s General Data Protection Regulation (GDPR), the restricted committee of France’s National Commission for Information Technology and Civil Liberties (CNIL) has imposed a 50 million euro (US$56.8 million) penalty on Google LLC for violating the GDPR by not providing easily accessible information about the treatment of collected data and by not obtaining valid user content to process data for ad personalization.

In explaining the fine, the CNIL said that users were deprived of “essential guarantees regarding processing operations that can reveal important parts of their private life,” that “the violations are continuous breaches of the Regulation as they are still observed to date,” and that the Android operating system has “an important place” in the French market, with thousands of French users creating Google accounts on their phones every day.

The case stems from May 2018 complaints with the CNIL filed by None Of Your Business (NOYB) and La Quadrature du Net (LQDN) that Google lacked a valid legal basis for processing users’ personal data, particularly for ad personalization.

“Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information. The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions. For instance, this is the case when a user wants to have a complete information on his or her data collected for the personalization purposes or for the geo-tracking service,” the CNIL said yesterday in announcing the committee’s action.

Similarly, the information on data processing for ad personalization is similarly spread across multiple documents, so that users are not made aware of all the Google services involved. In addition, “before creating an account, the user is asked to tick the boxes ‘I agree to Google’s Terms of Service’ and ‘I agree to the processing of my information as described above and further explained in the Privacy Policy’ in order to create the account. Therefore, the user gives his or her consent in full, for all the processing operations purposes carried out by GOOGLE based on this consent (ads personalization, speech recognition, etc.). However, the GDPR provides that the consent is ‘specific’ only if it is given distinctly for each purpose,” the CNIL said. —Lynn Stanton, [email protected]


Back to Top

Interested in submitting an article?

Submit your information to us today!

Learn More