The French data protection authority (CNIL) has sanctioned Google with a record fine of EUR 50 million under the General Data Protection Regulation (GDPR) for lack of transparency, inadequate information and lack of valid consent, in particular, regarding its ads personalization.
The penalty is based on group complaints that the CNIL received on May 25 and 28 2018 from two privacy rights groups, namely; None Of Your Business (NOYB) and La Quadrature du Net (LQDN).
The GDPR establishes the ‘one-stop-shop’ principle, which provides that if an organization conducts cross-border data processing, the supervisory authority based in the member state of the organization’s main establishment (often the organization’s HQ) will be the lead supervisory authority. Although Google's European HQ is based in Ireland, the decision making authority regarding the issue at point, i.e. data processing concerning Google's Android operating system and Google's services, did not lie with Google’s European HQ in Ireland at the moment the investigation was launched, but in fact with Google’s corporate HQ, located in Mountain View, U.S.A.. In that sense, Google Ireland was not the main establishment and the “one-stop-shop mechanism” was therefore not applicable. It was thus decided among the relevant data protection authorities that the case would be handled by the CNIL.
Following the investigations carried out by the CNIL, the authority observed that Google failed to provide sufficient information to users about its data consent policies and didn’t provide them with enough control over how their information is used. The CNIL stated that Google failed to obtain clear consent since "essential information" was "disseminated across several documents". Moreover, "the relevant information is accessible after several steps only, implying sometimes up to five or six actions".
The CNIL feels that the amount of the fine is justified considering the severity of the infringements regarding the essential principles of the GDPR (transparency, information and consent).
In a statement, Google said: "People expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of the GDPR."
Also interesting to note is that Google has also been accused of separate GDPR violations across seven European countries over its location tracking which according to the accusation reflects a “deceptive practice”.
Keep an eye out for our more thorough analysis of CNIL’s decision and its possible impact, as well as our updates regarding the separate alleged GDPR violations.
The report of the CNIL can be read here.