French regulator slaps Google with €50m GDPR fine

Written by Sam Trendall on 23 January 2019 in News

Search giant given hefty penalty after complaint in relation to personalised advertising

French regulator CNIL has imposed a €50m fine on Google for two breaches of the EU General Data Protection Regulation.

Following complaints made by two privacy and rights campaign groups – None Of Your Business and La Quadrature du Net – the data watchdog launched an investigation to ascertain whether or not Google had “a valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purposes”.

CNIL undertook “online inspections” in September, during which investigators configured an Android device and created a Google account.

These inspections found two breaches of GDPR, the first of which constitutes “a violation of the obligations of transparency and information”.

The regulator said that necessary information explaining Google’s practices and policies “is not easily accessible for users”.

“Essential information, such as the data-processing purposes, the data storage periods, or the categories of personal data used for the ads personalisation, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information,” CNIL said. “The relevant information is accessible after several steps only, implying sometimes up to five or six actions.”

Related content

For example, information on data collected for the purposes of personalisation or geo-tracking is only available to users via a string of clicks, CNIL said.

The second breach of GDPR identified by the regulator is “a violation of the obligation to have a legal basis for ads personalisation processing”.

CNIL said that, in the case of personalised advertising, Google uses invalid means to obtain user consent to data processing for this purpose. 

This, the watchdog said, is for two reasons.

“First… users’ consent is not sufficiently informed,” CNIL said. “Then… the collected consent is neither ‘specific’ nor ‘unambiguous’.”

The €50m fine issued represents the first time the regulator has imposed sanctions under GDPR – which provides for much higher financial penalties than previous legislation. Prior to the EU regulation coming into effect in May 2018, the maximum fine that could be levied on companies under French data-protection laws was €1.5m.

CNIL said: “The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information, and consent.”

While Google’s punishment marks the first time a European data regulator has used GDPR to impose such a big fine, it could have been much worse for the internet firm: the maximum available penalty in this case is 4% of the offending firm’s annual global turnover which, for Google, would equate to a figure of almost €4bn.

Google said: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”

About the author

Sam Trendall is editor of PublicTechnology

Share this page




Please login to post a comment or register for a free account.

Related Articles

The business case for IT upgrades and a surfeit of sign-ins – five things we learned about the future of digital government
13 October 2021

At techUK’s recent annual public sector tech conference, government’s digital leaders discussed their plans for the months ahead and the challenges they currently face. PublicTechnology...

App-based freedoms and the relentless battle for cybersecurity
3 September 2021

As our movements increasingly depend on using our smartphones to demonstrate status, we need to ensure technology is secure, according to Dr Sarah Morris, of Cranfield University.