Google Receives a Fine of EUR 50 Million for Violating the GDPR

On 21 January 2019, the French equivalent of the Czech Office for the Protection of Personal Data (the “OPPD”), Commission nationale de l'informatique et des libertés (the “CNIL”), imposed a fine of EUR 50 million on GOOGLE LLC for violating the General Data Protection Regulation (the “GDPR”). The fine was imposed for lack of transparency in processing personal data, for insufficiently informing data subjects, and for invalid consents relating to the personalisation of advertising. This is by far the greatest sanction imposed to date since last May, when the Regulation came into effect.

The CNIL started to look into the case at the instigation of two privacy rights organisations as the authority in Ireland, where Google’s European headquarters are based, had insufficient decision-making powers.[3] The complaint was filed on behalf of several thousand Android users on the very day that the GDPR became effective.

Google failed to provide information to users with sufficient transparency
The CNIL found that the information provided by Google to users was not sufficiently easy to access. The information that must be provided pursuant to the GDPR (eg, the processing purpose or period of storing personal data) was diluted across several documents that required five to six clicks or other actions if the user wished to obtain full information. The CNIL also concluded that the processing purposes as stated by Google were too vague and did not adequately explain the legal grounds for processing. Therefore, users may not have had clear information as to whether the processing was based on their consent or the protection of Google’s legitimate rights.

The CNIL found the “pre-ticked” consents to be invalid
The consents which Google was granted for the purposes of ads personalisation were found to be invalid for two reasons. Firstly, as the information was fragmented, it was impossible for users to trace the actual scope of services and applications using the data and were thereby insufficiently informed.

Secondly, the consents were neither sufficiently clear nor specific (granted for each individual purpose). For users to be able to create an account, they had to tick off that they agreed with the terms of use and personal data processing “described above and explained in the personal data processing rules”. In doing so, users gave their consent to all purposes such as ads personalisation or speech recognition. Neither was Google saved by the fact that it subsequently enabled users to click on the pre-ticked consent with ads personalisation. According to the CNIL, the correct treatment would be, for example, for the user to actively mark an empty field.

The amount of the fine was justified by a breach of basic principle
The CNIL justified the amount of the fine by the severity of the breach, which was related to the basic principles on which the GDPR is founded: transparency, information and consent. In addition, the CNIL stated that the breach had been committed on a large scale until the present day; therefore, it was not a one-off breach. The fact that Google’s economic model is partially based on ads personalisation was also weighed against Google by the CNIL, therefore it was “of its utmost responsibility to comply with the obligations on the matter”.

Last year, the Czech OPPD announced that until the GDPR adaptation act was adopted, it primarily wished to raise awareness of the GDPR rather than impose sanctions. However, as the Regulation is applied in the whole EU in the same manner, there is no reason to assume that the OPPD’s assessment of the case would differ from that of the CNIL in the event of such extensive and systemic misconduct.

The article is part of dReport – January 2019, Legal news.

CNIL GDPR dReport newsletter

Rising prices of construction material complicate the public procurement process and performance of public contracts

In early September, the Czech Ministry of Regional Development and the Office for the Protection of Competition issued an opinion on the price increase of construction material. This way, the authorities respond to the rising prices of reinforcing steel, thermal insulation, scrap iron and other material by tens or even hundreds of per cent. The reason for the price rise is a lack of the mentioned goods on the market and related long delivery times. The authors of the opinion present possible solutions to the problems that can arise in the public procurement market as a result of this situation. 

22. 9. 2021

Private financial institutions are the new supervisors of environmental regulation. The courts’ approach is also changing

Regulations in the area of environmental law are constantly increasing, which means that sustainability is an increasingly important topic that directly affects individuals, companies and states. However, oversight of compliance with the new rules is no longer exercised only by environmental inspection authorities, but also by private financial institutions. The courts whose decisions directly affect the corporate and state responsibility for climate change have also adopted a new approach to this issue. Read about the most important events in environmental law in Q2 of 2021 and get acquainted with regulatory news that will affect the future of sustainable business throughout the European Union. 

28. 7. 2021

The EU wants to achieve climate neutrality by 2050, then it will aim for negative emissions

The existential threat resulting from climate change demands that the EU as well as its member states heighten their ambitions and intensify their measures. This is reflected not only in the EU’s approach to the European Climate Law and in the constant collection and analysis of data (referring to carbon rates, for example), but also in a change of the judicial ruling practice. In a recent ground-breaking verdict, a Dutch court ordered a private company to adjust its activities with regard to the need for tackling climate change. 

28. 7. 2021