Google fined millions by French data protection regulators

CNIL, the French data protection regulation, has issued Google with a record fine following complains against Google by two privacy rights groups: noyb and La Quadrature du Net (LQDN). The groups claimed Google did not have a valid legal basis to process user data for ad personalisation, as mandated by the GDPR. Although Google’s European headquarters is in Ireland, it was decided that the case would be handled by the French data regulator, since the Irish watchdog did not have decision-making power over its Android operating system and service. CNIL said it had levied the fine for three key offences (i) lack of transparency (ii) inadequate information and (iii) lack of valid consent regarding ads personalisation.

Lack of transparency and Inadequate information

One of the key GDPR principles is that any communication relating to data processing should be concise, transparent, intelligible and in an easily accessible form (Article 12). CNIL said Google had not obtained clear consent to process data because “essential information” was “disseminated across several documents”. Google made it too difficult for users to find essential information, such as the purposes of the data processing, the data storage periods and the categories of personal data used for the ads personalisation, because the information was split across multiple documents, help pages and settings screens.

Lack of any valid consent

The GDPR requires that a company must have a legal basis to process personal information, such as consent or legitimate interest. Google obtains consent from people when they use apps such as YouTube, Google Maps and search. However CNIL said this process did not make users aware of how the ads are personalised to them by using data collected across these services.

In addition, when a Google user creates an account, he/she is presented with a default option in the form of a pre-ticked box next to the statement: “I agree to the processing of my information as described above and further explained in the Privacy Policy.” Broad consent such as this is forbidden under the GDPR and consent must be freely given, specific, informed and unambiguous”. CNIL, therefore, ruled that Google had not validly obtained users’ consent to personalise ads because users had not been sufficiently informed about how the company uses personal data, and nor was the consent that Google gathers “specific” or “unambiguous”.

In response, Google has said: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”

CNIL justified the large fine by noting that the violations were continuous, and still occurring. It added that Google’s violations were aggravated by the fact that Google’s economic model is partly based on ads personalisation, and that it was therefore Google’s “utmost responsibility to comply” with the GDPR.

This is not the first fine to be issued under the GDPR, but it is the biggest so far. Under the GDPR, a company can be hit with a fine of up to €20m or 4% of global annual turnover (whichever is higher). In Google’s case, a €50 million fine is a small amount compared to its annual turnover, but it does send a clear message to all companies that the regulators are taking GDPR compliance extremely seriously.