French regulator slaps Google with €50m GDPR fine

Written by Sam Trendall on 23 January 2019 in News

Search giant given hefty penalty after complaint in relation to personalised advertising

French regulator CNIL has imposed a €50m fine on Google for two breaches of the EU General Data Protection Regulation.

Following complaints made by two privacy and rights campaign groups – None Of Your Business and La Quadrature du Net – the data watchdog launched an investigation to ascertain whether or not Google had “a valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purposes”.

CNIL undertook “online inspections” in September, during which investigators configured an Android device and created a Google account.

These inspections found two breaches of GDPR, the first of which constitutes “a violation of the obligations of transparency and information”.

The regulator said that necessary information explaining Google’s practices and policies “is not easily accessible for users”.

“Essential information, such as the data-processing purposes, the data storage periods, or the categories of personal data used for the ads personalisation, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information,” CNIL said. “The relevant information is accessible after several steps only, implying sometimes up to five or six actions.”

Related content

For example, information on data collected for the purposes of personalisation or geo-tracking is only available to users via a string of clicks, CNIL said.

The second breach of GDPR identified by the regulator is “a violation of the obligation to have a legal basis for ads personalisation processing”.

CNIL said that, in the case of personalised advertising, Google uses invalid means to obtain user consent to data processing for this purpose. 

This, the watchdog said, is for two reasons.

“First… users’ consent is not sufficiently informed,” CNIL said. “Then… the collected consent is neither ‘specific’ nor ‘unambiguous’.”

The €50m fine issued represents the first time the regulator has imposed sanctions under GDPR – which provides for much higher financial penalties than previous legislation. Prior to the EU regulation coming into effect in May 2018, the maximum fine that could be levied on companies under French data-protection laws was €1.5m.

CNIL said: “The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information, and consent.”

While Google’s punishment marks the first time a European data regulator has used GDPR to impose such a big fine, it could have been much worse for the internet firm: the maximum available penalty in this case is 4% of the offending firm’s annual global turnover which, for Google, would equate to a figure of almost €4bn.

Google said: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”

About the author

Sam Trendall is editor of PublicTechnology

Share this page




Please login to post a comment or register for a free account.

Related Articles

EXCL: Cabinet Office alerted to data breach – and fails to respond for 10 days
25 November 2022

Personal details of civil servant and supplier exposed by inadequately redacted document, discovered by PublicTechnology

Sunak plans to attract 100 AI whizz-kids to UK
23 November 2022

Prime minster announces tells conference that the UK ‘cannot allow the world’s top talent to be drawn to America or China’

ONS seeks £8m partner to help increase use of digital surveys
31 October 2022

Statistics agency looks to build on the rollout of the UK’s first-ever digital census last year 

Government does ‘not expect public-service disruption’ over UKCloud insolvency
28 October 2022

Public sector hosting provider has suspended itself from frameworks after being placed in compulsory liquidation