French regulator CNIL has imposed a €50m fine on Google for two breaches of the EU General Data Protection Regulation.

Following complaints made by two privacy and rights campaign groups – None Of Your Business and La Quadrature du Net – the data watchdog launched an investigation to ascertain whether or not Google had “a valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purposes”.

CNIL undertook “online inspections” in September, during which investigators configured an Android device and created a Google account.

These inspections found two breaches of GDPR, the first of which constitutes “a violation of the obligations of transparency and information”.

The regulator said that necessary information explaining Google’s practices and policies “is not easily accessible for users”.

“Essential information, such as the data-processing purposes, the data storage periods, or the categories of personal data used for the ads personalisation, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information,” CNIL said. “The relevant information is accessible after several steps only, implying sometimes up to five or six actions.”

Related content

• GDPR: how did we get here, and what on earth happens next?
• Public sector ‘cannot rely on consent as a legal basis’ for GDPR compliance, warns ICO
• GDPR: Five things we will only discover after 25 May

For example, information on data collected for the purposes of personalisation or geo-tracking is only available to users via a string of clicks, CNIL said.

The second breach of GDPR identified by the regulator is “a violation of the obligation to have a legal basis for ads personalisation processing”.

CNIL said that, in the case of personalised advertising, Google uses invalid means to obtain user consent to data processing for this purpose. 

This, the watchdog said, is for two reasons.

“First… users’ consent is not sufficiently informed,” CNIL said. “Then… the collected consent is neither ‘specific’ nor ‘unambiguous’.”

The €50m fine issued represents the first time the regulator has imposed sanctions under GDPR – which provides for much higher financial penalties than previous legislation. Prior to the EU regulation coming into effect in May 2018, the maximum fine that could be levied on companies under French data-protection laws was €1.5m.

CNIL said: “The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information, and consent.”

While Google’s punishment marks the first time a European data regulator has used GDPR to impose such a big fine, it could have been much worse for the internet firm: the maximum available penalty in this case is 4% of the offending firm’s annual global turnover which, for Google, would equate to a figure of almost €4bn.

Google said: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”