France’s CNIL fines Google €50 million for breach of GDPR

France’s National Commission for Information Technology and Civil Liberties (CNIL) has fined Google €50 million for a breach of GDPR. The CNIL’s restricted committee imposed the penalty for “lack of transparency, inadequate information and lack of valid consent regarding the ads personalisation.”.

There are several things about this judgement that will get the attention of boardrooms around the world.

In May of last year, the CNIL received two complaints about Google. They came from privacy campaign groups None Of Your Business (NYOB)and La Quadrature du Net (LQDN). Both alleged that Google was processing personal data of European citizens without having a valid basis to do so. One of the uses of the data was ad personalisation.

Due to the fact that Google is based in Ireland, before taking the case, the CNIL asked Ireland’s ICO if they wanted to deal with it.  Under the EU one-stop-shop mechanism, Ireland would normally be the lead authority in cases like this. However, it was quickly established that Ireland was unable to deal with issues around Android and Google. As a result, the CNIL implemented the European Framework set out by the European Data Protection Board’s guidelines.

Premium IPTV in the UK

An inspection of how Google handled privacy data and responded to requests from users was carried out in September. The CNIL notes that Google breached the GDPR on two counts.

Violation of the obligation of transparency and information

It takes up to 6 separate actions to find what Google holds on a user. In addition the data is confusing and incomplete. This is compounded by deliberate vagueness in the way the use of data and the purposes of processing are explained.

Violation of the obligation to have a legal basis for ads personalisation processing: 

Google claims it has sought and received user consent for ads personalisation. The CNIL says it has not. It claims that the way data is collected and the information provided means that: “consent is neither specific or unambiguous.”

No catch-all phrases

Requiring a user to tick boxes such as “I agree to Google’s Terms of Service” and “I agree to the processing of my information as described above and further explained in the Privacy Policy” is insufficient. The GDPR states consent is specific only if given distinctly for each purpose.

The CNIL state,

This is the first time that the CNIL applies the new sanction limits provided by the GDPR. The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.

Despite the measures implemented by GOOGLE (documentation and configuration tools), the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations. The restricted committee recalls that the extent of these processing operations in question imposes to enable the users to control their data and therefore to sufficiently inform them and allow them to validly consent.

Moreover, the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.

Finally, taking into account the important place that the operating system Android has on the French market, thousands of French people create, every day, a GOOGLE account when using their smartphone. Furthermore, the restricted committee points out that the economic model of the company is partly based on the ads personalisation. Therefore, it is of its utmost responsibility to comply with the obligations on the matter.

This fine just may be a wake-up all to all the companies and websites that are failing to implement the GDPR properly. Clearly, the fear for many websites is that the more they ask for consent, the less they will get. Therefore, they are defaulting to users having to opt-out instead of opting in.

Some of the lessons that companies and websites will have to deal with are:

  • Ensure users are opted-out by default
  • Make it easier for users to get access to their data
  • Remove any ambiguity over what data is being gathered and how it is to be used
  • If the data is processed by third-parties, users need to be fully informed and allowed to opt-out
  • When providing data to users, it must be clear, easily accessed and easy to read
  • The use of catch-all boxes such as “I agree to xxx Terms of Service” and “I agree to the processing of my information as described above and further explained in the Privacy Policy” is insufficient.