On 21 January 2019, the French data protection authority — the Commission nationale de l’informatique et des libertés (“CNIL”) — issued a General Data Protection Regulation (“GDPR”) fine of EUR 50 million against Google LLC. (“Google”).

The CNIL launched its investigation of Google on 1 June 2018 based on two complaints filed by data subjects. According to the CNIL, Google was responsible for a lack of transparency related to the processing of personal data and did not properly obtain consent where needed.

The CNIL concluded that Google failed to provide appropriate information to data subjects, that the privacy information was complicated, and that data subjects were in fact discouraged from obtaining the relevant information. The CNIL pointed out that Google structured its information notice in a complicated manner and that information was distributed across several documents, e.g., in order to access some information related to geo-location or the personalisation of ads, users had to perform multiple steps and open multiple pages with privacy policies. This approach to the provision of information to data subjects was found not to be in line with GDPR principles. Moreover, the CNIL concluded that Google’s information notice was vague and hard to comprehend. Users therefore could not fully understand on what legal grounds Google processes their personal information. Furthermore, Google did not inform users about the retention periods for certain personal data.

Regarding problems of consent, the CNIL pointed out that Google violated the obligation to have a valid legal basis for ad personalisation processing. Firstly, Google did not provide for the privacy-by-default principle when setting standards for the delivery of personalised ads (i.e., Google had pre-ticked the consent to personalisation boxes). Secondly, the user was required to consent to Google’s privacy policy in order to use its services; this resulted in a disproportional scope of personal data processing, as the GDPR stipulates that data subjects must agree to each purpose of processing specifically and individually.

The CNIL found the EUR 50 million fine to be justified. Under the GDPR, the maximum fine is 4 per cent of worldwide turnover; therefore, in Google’s case the maximum fine could have been much higher. The CNIL added that the violations were continuous, that they prevail up to today, and that Google should have acted with the due diligence of an industry expert, yet did not.

It should be noted that the decision, even though issued by the French regulator, has EU-wide consequences. In particular, under the GDPR fines should be imposed in the same manner in all EU countries and should apply in all jurisdictions. Google may, of course, appeal against the decision.

The fine for Google represents the largest GDPR-related sanction to date. In CEE jurisdictions where Kinstellar operates (i.e., Bulgaria, the Czech Republic, Hungary, Romania, Serbia, Slovakia and Ukraine), the data protection authorities ( “DPAs”) are less eager to pursue complaints and serious enforcement of GDPR obligations remains in its infancy. For example, the Romanian DPA adopted an investigation procedure in October 2018 but has been waiting to have the appropriate legal framework in place before actually carrying out significant investigations.

Despite the slower pace of enforcements, DPAs in CEE jurisdictions have received thousands of complaints that are currently being processed (for example, the Bulgarian DPA has received around 800 complaints). According to the president of the Hungarian National Authority for Data Protection and Freedom of Information, the structure of complaints has not changed dramatically compared with previous legislation; typically, the nature of complaints concerns CCTV monitoring, online shopping, and credit management performed by banks and lending institutions. The situation is similar in other CEE countries.

In the Czech Republic, one complaint has been lodged against Google. The consumer protection association dTest claims that Google collects the location data of users of Google services on the company’s website and in applications. It also claims that Google is not transparent in processing data. It is likely that other DPAs will also have to address this complaint.

We estimate that the upcoming months will see the first results of data complaints in the CEE region, and that the respective DPAs will have to deal with the difficult question of how much to fine offenders.