French regulator slaps Google with €50m GDPR fine

Written by Sam Trendall on 23 January 2019 in News

Search giant given hefty penalty after complaint in relation to personalised advertising

French regulator CNIL has imposed a €50m fine on Google for two breaches of the EU General Data Protection Regulation.

Following complaints made by two privacy and rights campaign groups – None Of Your Business and La Quadrature du Net – the data watchdog launched an investigation to ascertain whether or not Google had “a valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purposes”.

CNIL undertook “online inspections” in September, during which investigators configured an Android device and created a Google account.

These inspections found two breaches of GDPR, the first of which constitutes “a violation of the obligations of transparency and information”.

The regulator said that necessary information explaining Google’s practices and policies “is not easily accessible for users”.

“Essential information, such as the data-processing purposes, the data storage periods, or the categories of personal data used for the ads personalisation, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information,” CNIL said. “The relevant information is accessible after several steps only, implying sometimes up to five or six actions.”

Related content

For example, information on data collected for the purposes of personalisation or geo-tracking is only available to users via a string of clicks, CNIL said.

The second breach of GDPR identified by the regulator is “a violation of the obligation to have a legal basis for ads personalisation processing”.

CNIL said that, in the case of personalised advertising, Google uses invalid means to obtain user consent to data processing for this purpose. 

This, the watchdog said, is for two reasons.

“First… users’ consent is not sufficiently informed,” CNIL said. “Then… the collected consent is neither ‘specific’ nor ‘unambiguous’.”

The €50m fine issued represents the first time the regulator has imposed sanctions under GDPR – which provides for much higher financial penalties than previous legislation. Prior to the EU regulation coming into effect in May 2018, the maximum fine that could be levied on companies under French data-protection laws was €1.5m.

CNIL said: “The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information, and consent.”

While Google’s punishment marks the first time a European data regulator has used GDPR to impose such a big fine, it could have been much worse for the internet firm: the maximum available penalty in this case is 4% of the offending firm’s annual global turnover which, for Google, would equate to a figure of almost €4bn.

Google said: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”

About the author

Sam Trendall is editor of PublicTechnology

Share this page




Please login to post a comment or register for a free account.

Related Articles

Interview: CDDO chief Lee Devlin on the ‘move from being disruptive to collaborative’
23 May 2023

In the first of a series of exclusive interviews, the head of government’s ‘Digital HQ’ talks to PublicTechnology about the Central Digital and Data Office’s work to unlock £8bn...

TikTok hit with £12.7m fine for unlawful use of children’s data
4 April 2023

ICO investigation finds that video platform failed to prevent more than one million underage users signing up

Capita working on restoring client services after cyberattack
3 April 2023

One of government’s biggest IT suppliers claims that there is 'no evidence' of data breach

Consultation reveals widespread opposition to proposed data-sharing laws for government login system
26 May 2023

Overwhelming majority of respondents voice disapproval but government will press on with plans to bring forward legislation

Related Sponsored Articles

Proactive defence: A new take on cyber security
16 May 2023

The traditional reactive approach to cybersecurity, which involves responding to attacks after they have occurred, is no longer sufficient. Murielle Gonzalez reports on a webinar looking at...