France’s data protection authority, the Commission Nationale de l’information et des Liberties (“CNIL”) has fined Google €150,000 after the company ignored a three-month ultimatum to bring its practices on tracking and storing user information in line with French law. This fine is the highest CNIL has issued to date. In its decision from 3 January 2014, CNIL also ordered Google to post the decision on its google.fr homepage for 48 hours within eight days of being officially notified of the ruling.
 
The CNIL’s decision concerns the new approach to user data that Google has taken since March 2012, pursuant to which it consolidated its 60 various privacy policies into one policy and startedcombining data collected on individual users across its services, including YouTube, Gmail and its social network Google+. The consolidated policy did not give users the option to opt-out from the cross services aggregation approach. According to CNIL’s complaint, Googledoes not sufficiently inform its users of the conditions in which their personal data are processed, nor of the purposes of this processing. According to CNIL, Google’s customers “may neither understand the purposes for which their data are collected, which are not specific as the law requires, nor the ambit of the data collected through the different services concerned. Consequently, they are not able to exercise their rights, in particular their right of access, objection or deletion". CNIL asked Google to take action to account for its concerns, but reported last year that the company had not done so to its satisfaction.
 
Google said on Wednesday, 15 January 2014, that it had appealed the CNIL’s decision, claiming that its treatment of data gathered from users is in line with European law and that the changes it made in the policies simplify and standardize its approach across its various services.
 
Similar cases were commenced against Google in Spain, the UK, Germany, Italy and the Netherlands, alleging that Google’s privacy policy introduced in 2012 does not conform with local rules protecting consumers on how their personal data is processed and stored.