Location Amsterdam
Jollemanshof 12
1019 GW Amsterdam
Phone
020 663 1941
E-mail
info@ictrecht.nl
KvK
34216164
BTW
NL8223.30.040.B01
Location Groningen
Leonard Springerlaan 35
9727 KB Groningen
Phone
050 209 34 99
E-mail
info@ictrecht.nl
KvK
68038712
BTW
NL857275835.B01
Location Brussel
Avenue Louise 65
1000 Brussel
Phone
+32 (0)2 535 77 55.
E-mail
info@legalict.com
Ondernemingsnummer
0696.909.465
BTW
BE 0696.909.465
Back to home

Breaking: Google fined €50 million by French privacy authority

22 January 2019 By

Yesterday, the French data protection authority (CNIL) issued the first major penalty under the GDPR: 50 million euros for lack of transparency and failing to obtain valid consent. This post will provide a summary and initial analysis based on the currently available information. More will undoubtedly follow as the dust settles.

The complaint

On the same day the GDPR went into force (25 May 2018) and three days after (May 28) CNIL received collective complaints from the association None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”), claiming that Google did not have a valid legal basis to process personal data of the users of its services, in particular for the purpose of ad personalization.

CNIL’s authority

According to CNIL it immediately started investigating the complaints and consulted with the other EU data protection authorities about which of them would have jurisdiction in accordance with the ‘one-stop-shop-mechanism’ provided in the GDPR. Interestingly, it was concluded that Google did not have a main establishment within the EU, because its Irish establishment did not have decision-making power about the processing operations at hand. This meant that CNIL deemed itself, as well as all of the other DPAs, competent to take a decision on the matter.

Violations

CNIL decided (in French) that Google had violated the GDPR by (i) not providing sufficient transparency and information as required under articles 5, 12 and 13, and (ii) processing personal data without a valid legal basis as required under art. 6, all in the context of creating a Google account when setting up an Android phone. According to CNIL the information provided by Google was not sufficiently clear and too difficult to access. Moreover, CNIL held that Google had not obtained valid consent for the personalization of ads because it was insufficiently specific and unambiguous. In particular, users were not sufficiently informed about the extent to which personal data was combined and profiles were formed and used across different services offered by Google (Search, Home, Maps, Youtube, Playstore, etc).

Penalty

The violations were deemed severe enough to justify a fine of 50 million euros, which was based on but still far less than the potential maximum of 4% of Googles worldwide turnover of about 96 billion euros. In its justification of the penalty amount, CNIL considered in particular that Google had violated essential principles of the GDPR while processing vast amounts of personal data under its business model which is partly (or largely) based on ad personalization across its wide variety of services (approximately twenty).

Implications

CNIL’s penalty to Google for violating the GDPR is the first major enforcement action under the GDPR and clearly sends a signal to the market that compliance must be taken very seriously. It also shows that tech giants may be held to a particularly high standard, as great responsibility follows inseparably from the great power which their massive data troves and processing capabilities present.

This landmark decision also indicates that it may be worth investing substantial effort and resources towards properly integrating privacy and GDPR compliance into user interface design, so that the appropriate information is provided to users at the appropriate moment, without too much effort from the user being required.

It remains to be seen whether Google will appeal the decision and the precise extent to which its considerations about transparency and consent will shape GDPR doctrine. We will keep you informed of relevant developments.

Matthijs van Bergen

Managing director Legal ICT
Matthijs manages Legal ICT’s Brussels office and advises clients mostly in matters concerning EU and international law. Matthijs has extensive experience in drafting and negotiating (international) ICT contracts and has substantial knowledge about intellectual property, privacy, information security, Internet, freedom of speech, net neutrality, and broadband in rural areas.

There are no comments yet

Leave a Reply

Your email address will not be published. Required fields are marked *

Your personal information will only be used to publish and process your response. Please read the privacy statement for more information