On January 21, 2019, French data protection supervisory authority CNIL imposed a fine of 50 million euros on GOOGLE LLC for violations of the General Data Protection Regulation.
The proceedings were initiated after CNIL had received several collective complaints shortly after the General Data Protection Regulation (GDPR) had entered into force. As a first step, CNIL found that GOOGLE did not have an establishment in the EU that could take independent decisions on data processing. Therefore, the “one stop shop” principle does not apply, according to which only the local data protection supervisory authority is competent for companies domiciled in the EU. Rather, any data protection supervisory authority in the EU is entitled to pursue infringements.
CNIL therefore investigated the creation of a new GOOGLE account during the configuration of a mobile device with the Android operating system. Several violations were discovered:
First of all, the requirements for transparent information of the user were not met. Key information (processing purposes, retention periods, categories of personal data for personalizing ads) is widely scattered across several documents with buttons and links that must be used to display further information. The relevant information would only be accessible after several steps, sometimes only after five or six activities. In addition, the information presented in this manner would not always be clear and comprehensive.
Also, consent of the data subject would not be obtained effectively. On the one hand, data subjects would not be sufficiently informed prior to their (ineffective) declaration of consent. On the other hand, a blanket consent had already been selected as the default setting and users could make restrictions only by using menu options that had to be accessed separately.
The decision on the EUR 50 million fine is not yet final and may still be appealed.
Data protection supervisors are now getting serious with imposing sanctions under the GDPR. The 50 million euro fine is only sanctioning offenses relating to the initial installation of user accounts in Android, not relating to other conceivable offenses. In Germany, over forty fines under the GDPR have also been imposed already while likely more than one hundred additional proceedings are underway. For financial reasons alone, it is recommended to implement the GDPR requirements fully and precisely.