Google Receives a Fine of EUR 50 Million for Violating the GDPR

On 21 January 2019, the French equivalent of the Czech Office for the Protection of Personal Data (the “OPPD”), Commission nationale de l'informatique et des libertés (the “CNIL”), imposed a fine of EUR 50 million on GOOGLE LLC for violating the General Data Protection Regulation (the “GDPR”). The fine was imposed for lack of transparency in processing personal data, for insufficiently informing data subjects, and for invalid consents relating to the personalisation of advertising. This is by far the greatest sanction imposed to date since last May, when the Regulation came into effect.

The CNIL started to look into the case at the instigation of two privacy rights organisations as the authority in Ireland, where Google’s European headquarters are based, had insufficient decision-making powers.[3] The complaint was filed on behalf of several thousand Android users on the very day that the GDPR became effective.

Google failed to provide information to users with sufficient transparency
The CNIL found that the information provided by Google to users was not sufficiently easy to access. The information that must be provided pursuant to the GDPR (eg, the processing purpose or period of storing personal data) was diluted across several documents that required five to six clicks or other actions if the user wished to obtain full information. The CNIL also concluded that the processing purposes as stated by Google were too vague and did not adequately explain the legal grounds for processing. Therefore, users may not have had clear information as to whether the processing was based on their consent or the protection of Google’s legitimate rights.

The CNIL found the “pre-ticked” consents to be invalid
The consents which Google was granted for the purposes of ads personalisation were found to be invalid for two reasons. Firstly, as the information was fragmented, it was impossible for users to trace the actual scope of services and applications using the data and were thereby insufficiently informed.

Secondly, the consents were neither sufficiently clear nor specific (granted for each individual purpose). For users to be able to create an account, they had to tick off that they agreed with the terms of use and personal data processing “described above and explained in the personal data processing rules”. In doing so, users gave their consent to all purposes such as ads personalisation or speech recognition. Neither was Google saved by the fact that it subsequently enabled users to click on the pre-ticked consent with ads personalisation. According to the CNIL, the correct treatment would be, for example, for the user to actively mark an empty field.

The amount of the fine was justified by a breach of basic principle
The CNIL justified the amount of the fine by the severity of the breach, which was related to the basic principles on which the GDPR is founded: transparency, information and consent. In addition, the CNIL stated that the breach had been committed on a large scale until the present day; therefore, it was not a one-off breach. The fact that Google’s economic model is partially based on ads personalisation was also weighed against Google by the CNIL, therefore it was “of its utmost responsibility to comply with the obligations on the matter”.

Last year, the Czech OPPD announced that until the GDPR adaptation act was adopted, it primarily wished to raise awareness of the GDPR rather than impose sanctions. However, as the Regulation is applied in the whole EU in the same manner, there is no reason to assume that the OPPD’s assessment of the case would differ from that of the CNIL in the event of such extensive and systemic misconduct.

The article is part of dReport – January 2019, Legal news.

Google CNIL GDPR dReport newsletter
Technology  Law 

Personal Data Processing News [July 2019]

Personal data protection does not go unnoticed even in the summer. Great attention was attracted in particular by the British data protection authority ICO, which announced the possibility of imposing fines worth of millions of pounds on British Airways and Marriott. The European Data Protection Board also kept busy and adopted a series of important documents at its last meeting. The fate of standard contractual clauses and the Privacy Shield as a tool for transferring personal data to third countries and the US remains in the centre of attention. 

6. 8. 2019

Court versus Arbitration Proceedings: Do You Know How to Tackle Business Disputes Efficiently?

Most probably, all entrepreneurs have experienced some kind of business conflict in conducting their day-to-day business. Even though some industries are more prone to dispute than others, all businesses, from the smallest family firms up to large multinational corporations have to deal with disputes. Business conflicts that go much further beyond the regular terms may even jeopardise a firm’s existence per se. Therefore, there is a question of how to tackle such disputes efficiently. 

30. 7. 2019
People  Law 

The most significant changes in the field of labour migration after the amendment to the Act on the Residence of Foreigners

The amendment to the Act on the Residence of Aliens, which was signed by the President of the Czech Republic on 4th of July and was sent to be published in the Collection of the laws should come into effect in August 2019. The implementing regulations which are part of the amendment should come into effect in September 2019. Based on the EU transposition directive, the changes will enable foreign university students and researchers to stay in the Czech Republic up to nine months after completing their studies or research activities on the basis of a long-term residence for the purpose of finding a job or starting a business. 

15. 7. 2019