Google Receives a Fine of EUR 50 Million for Violating the GDPR

On 21 January 2019, the French equivalent of the Czech Office for the Protection of Personal Data (the “OPPD”), Commission nationale de l'informatique et des libertés (the “CNIL”), imposed a fine of EUR 50 million on GOOGLE LLC for violating the General Data Protection Regulation (the “GDPR”). The fine was imposed for lack of transparency in processing personal data, for insufficiently informing data subjects, and for invalid consents relating to the personalisation of advertising. This is by far the greatest sanction imposed to date since last May, when the Regulation came into effect.

The CNIL started to look into the case at the instigation of two privacy rights organisations as the authority in Ireland, where Google’s European headquarters are based, had insufficient decision-making powers.[3] The complaint was filed on behalf of several thousand Android users on the very day that the GDPR became effective.

Google failed to provide information to users with sufficient transparency
The CNIL found that the information provided by Google to users was not sufficiently easy to access. The information that must be provided pursuant to the GDPR (eg, the processing purpose or period of storing personal data) was diluted across several documents that required five to six clicks or other actions if the user wished to obtain full information. The CNIL also concluded that the processing purposes as stated by Google were too vague and did not adequately explain the legal grounds for processing. Therefore, users may not have had clear information as to whether the processing was based on their consent or the protection of Google’s legitimate rights.

The CNIL found the “pre-ticked” consents to be invalid
The consents which Google was granted for the purposes of ads personalisation were found to be invalid for two reasons. Firstly, as the information was fragmented, it was impossible for users to trace the actual scope of services and applications using the data and were thereby insufficiently informed.

Secondly, the consents were neither sufficiently clear nor specific (granted for each individual purpose). For users to be able to create an account, they had to tick off that they agreed with the terms of use and personal data processing “described above and explained in the personal data processing rules”. In doing so, users gave their consent to all purposes such as ads personalisation or speech recognition. Neither was Google saved by the fact that it subsequently enabled users to click on the pre-ticked consent with ads personalisation. According to the CNIL, the correct treatment would be, for example, for the user to actively mark an empty field.

The amount of the fine was justified by a breach of basic principle
The CNIL justified the amount of the fine by the severity of the breach, which was related to the basic principles on which the GDPR is founded: transparency, information and consent. In addition, the CNIL stated that the breach had been committed on a large scale until the present day; therefore, it was not a one-off breach. The fact that Google’s economic model is partially based on ads personalisation was also weighed against Google by the CNIL, therefore it was “of its utmost responsibility to comply with the obligations on the matter”.

Last year, the Czech OPPD announced that until the GDPR adaptation act was adopted, it primarily wished to raise awareness of the GDPR rather than impose sanctions. However, as the Regulation is applied in the whole EU in the same manner, there is no reason to assume that the OPPD’s assessment of the case would differ from that of the CNIL in the event of such extensive and systemic misconduct.

The article is part of dReport – January 2019, Legal news.

Google CNIL GDPR dReport newsletter
Law  Tax 

Brexit and its Implications for Your Firm: 10 Steps on How to Prepare for the “No Deal” Scenario

The divorce battle between the United Kingdom and the European Union is in full swing and the result is still unclear. At present, the only certain thing is that the two-year period will soon expire. Several possibilities exist as to the timeframe and the ultimate setup of the relations between the United Kingdom, the European Union and other countries, including the Czech Republic. This inevitably complicates all additional steps that you should take prior to the final decision. To be prepared for the “big day”, which falls on 29 March 2019 or 30 March 2019 considering the time zone difference, it is advisable to expect the “no deal” or “hard Brexit” scenario given the circumstances. Our ten recommendations may be of assistance to you in this respect. 

20. 3. 2019

The pros of having a strong and independent competition authority

The interaction of firms on the market is strongly regulated and competition authorities should make sure that firms do business on an equal playing field. In a competitive environment, the pressure on efficiency and effectiveness is ever greater. In order to withstand this trend, firms must keep coming up with quality and innovative goods at better prices. This is beneficial not only for consumers. Greater purchasing power of consumers and growth in firms’ production ultimately contribute to the growth of the entire economy. If the rules in place are followed, firms will remain driven to offer a wide range of quality and innovative products at low prices. 

15. 3. 2019

GDPR in practice: The General Data Protection Regulation starts achieving its intended goal

For a number of companies and consumers, 25 May 2018 was a revolutionary milestone in terms of personal data importance. Partly given the significant attention paid by the media, consumers and organisations started recognising their respective rights and obligations. The regulation, which was approved in April 2016 and came into effect two years later, resulted in a number of changes in the functioning of the affected organisations. What changes were they? What is the public perception of the GDPR? Has anything changed in practice at all? 

7. 3. 2019