On 21 January 2019, the French equivalent of the Czech Office for the Protection of Personal Data (the “OPPD”), Commission nationale de l'informatique et des libertés (the “CNIL”), imposed a fine of EUR 50 million on GOOGLE LLC for violating the General Data Protection Regulation (the “GDPR”). The fine was imposed for lack of transparency in processing personal data, for insufficiently informing data subjects, and for invalid consents relating to the personalisation of advertising. This is by far the greatest sanction imposed to date since last May, when the Regulation came into effect.
The CNIL started to look into the case at the instigation of two privacy rights organisations as the authority in Ireland, where Google’s European headquarters are based, had insufficient decision-making powers. The complaint was filed on behalf of several thousand Android users on the very day that the GDPR became effective.
Google failed to provide information to users with sufficient transparency
The CNIL found that the information provided by Google to users was not sufficiently easy to access. The information that must be provided pursuant to the GDPR (eg, the processing purpose or period of storing personal data) was diluted across several documents that required five to six clicks or other actions if the user wished to obtain full information. The CNIL also concluded that the processing purposes as stated by Google were too vague and did not adequately explain the legal grounds for processing. Therefore, users may not have had clear information as to whether the processing was based on their consent or the protection of Google’s legitimate rights.
The CNIL found the “pre-ticked” consents to be invalid
The consents which Google was granted for the purposes of ads personalisation were found to be invalid for two reasons. Firstly, as the information was fragmented, it was impossible for users to trace the actual scope of services and applications using the data and were thereby insufficiently informed.
The amount of the fine was justified by a breach of basic principle
The CNIL justified the amount of the fine by the severity of the breach, which was related to the basic principles on which the GDPR is founded: transparency, information and consent. In addition, the CNIL stated that the breach had been committed on a large scale until the present day; therefore, it was not a one-off breach. The fact that Google’s economic model is partially based on ads personalisation was also weighed against Google by the CNIL, therefore it was “of its utmost responsibility to comply with the obligations on the matter”.
Last year, the Czech OPPD announced that until the GDPR adaptation act was adopted, it primarily wished to raise awareness of the GDPR rather than impose sanctions. However, as the Regulation is applied in the whole EU in the same manner, there is no reason to assume that the OPPD’s assessment of the case would differ from that of the CNIL in the event of such extensive and systemic misconduct.
The article is part of dReport – January 2019, Legal news.