French regulator slaps Google with €50m GDPR fine

Written by Sam Trendall on 23 January 2019 in News

Search giant given hefty penalty after complaint in relation to personalised advertising

French regulator CNIL has imposed a €50m fine on Google for two breaches of the EU General Data Protection Regulation.

Following complaints made by two privacy and rights campaign groups – None Of Your Business and La Quadrature du Net – the data watchdog launched an investigation to ascertain whether or not Google had “a valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purposes”.

CNIL undertook “online inspections” in September, during which investigators configured an Android device and created a Google account.

These inspections found two breaches of GDPR, the first of which constitutes “a violation of the obligations of transparency and information”.

The regulator said that necessary information explaining Google’s practices and policies “is not easily accessible for users”.

“Essential information, such as the data-processing purposes, the data storage periods, or the categories of personal data used for the ads personalisation, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information,” CNIL said. “The relevant information is accessible after several steps only, implying sometimes up to five or six actions.”

Related content

For example, information on data collected for the purposes of personalisation or geo-tracking is only available to users via a string of clicks, CNIL said.

The second breach of GDPR identified by the regulator is “a violation of the obligation to have a legal basis for ads personalisation processing”.

CNIL said that, in the case of personalised advertising, Google uses invalid means to obtain user consent to data processing for this purpose. 

This, the watchdog said, is for two reasons.

“First… users’ consent is not sufficiently informed,” CNIL said. “Then… the collected consent is neither ‘specific’ nor ‘unambiguous’.”

The €50m fine issued represents the first time the regulator has imposed sanctions under GDPR – which provides for much higher financial penalties than previous legislation. Prior to the EU regulation coming into effect in May 2018, the maximum fine that could be levied on companies under French data-protection laws was €1.5m.

CNIL said: “The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information, and consent.”

While Google’s punishment marks the first time a European data regulator has used GDPR to impose such a big fine, it could have been much worse for the internet firm: the maximum available penalty in this case is 4% of the offending firm’s annual global turnover which, for Google, would equate to a figure of almost €4bn.

Google said: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”

About the author

Sam Trendall is editor of PublicTechnology

Share this page




Please login to post a comment or register for a free account.

Related Articles

Information commissioner: ‘Many cyber issues are preventable’
13 April 2022

Head of data watchdog urges public bodies to ensure ‘vigilance’ after revealing that successful phishing attacks represent an increasing number of cyber incidents

Supercharged: Inside the ONS plan to become a data-science 'powerhouse'
12 May 2022

Five years after being established, the Data Science Campus of the ONS wants to do more to help address government's biggest policy issues – while still retaining its innovative edge. ...

‘Get things right at the start’ – new playbook sets out rules to be applied to all government digital projects
28 March 2022

Document covers issues such as assessments of suppliers and delivery models, and upfront consideration of potential issues with legacy IT

Ransomware: Cabinet minister sounds alarm over ‘greatest cyberthreat to the UK’
16 May 2022

Steve Barclay urges greater reporting of attacks