France’s data protection regulator (the “CNIL”) has imposed a €50 million fine on Google for failing to comply with EU data privacy laws. The fine is the highest yet to be imposed on an organisation under the General Data Protection Regulation (“GDPR”), which was enacted on 25 May last year.

The CNIL investigation that resulted in the fine was prompted by complaints lodged against Google by two advocacy groups, one of which was created by privacy campaigner Max Schrems. The complaints centred on the allegation that Google does not have a valid legal basis to process users’ personal data, particularly for its ad personalisation practices.

In its decision on 21 January 2019, the CNIL found that Google failed to comply with the obligations of transparency and in relation to the provision of information to users. Specifically, it considered that the essential information that must be made available to users upon collection of their personal data is excessively vague, difficult to access and manage, and does not clearly explain that Google relies on users’ consent as the legal basis to process their personal data for the purpose of personalising ads to them.

The CNIL also found that Google failed to have a legal basis for processing personal data for the purpose of ad personalisation. It considered that the consent on which Google purports to rely for the activity is not validly obtained because, firstly, users are not sufficiently informed of all the ways in which Google uses and combines their personal data to personalise ads to them, and secondly, the consent is neither specific nor ambiguous. The CNIL made specific reference to the fact that Google’s settings for ad personalisation are generally pre-ticked, which falls foul of the requirement under GDPR that unambiguous consent requires a clear affirmative action from the user (by ticking a box that is not already pre-ticked, for example).

In its statement responding to the CNIL’s decision, a Google spokesperson said that the company is deeply committed to meeting the high standards of transparency and control that are expected of it, and is studying the decision to determine its next steps.