Google fined 50mio EUR for GDPR breach

  • January 15, 2019

Google was found in breach of the European Union’s General Data Protection Regulation (GDPR) and received a fine of 50mio EUR by the French data protection authority (Commission nationale de l’informatique et des libertés – the CNIL) on the 21 January 2019.

The complaints came from two associations in May 2018, claiming that Google did not have sufficient legal justification to process personal data from users, specifically the ones regarding ad personalization.

The regulator found two main infringements, namely:

1)   Breach of transparency and information obligations

Google did not make the relevant and mandatory data protection notice which would be easily accessible to users.

According to the findings of CNIL, the information provided to users, regarding how their data was to be processed, how long it was to be retained, or how the data would be used in features such as ad personalization, was insufficient. Information was scattered and users had to go through multiple (5 to 6) successive clicks to access the information. Furthermore, according to the CNIL, information was “not always clear and comprehensive” and found to be rather generic. It contravened transparency obligations under Articles 12 and 13 of the GDPR.

Moreover, Google was also not clear regarding the intent for processing users’ data, CNIL held that Google’s processing activities were “particularly massive and intrusive” due to the multiple purposes for which Google processed personal data.  Users were not sufficiently informed about the range of the services, websites and other features involved in processing their data. The services utilizing this data included not only Google search, but also Google Maps, YouTube and around 17 other services.


If case you need help from data privacy legal experts, contact us here.

2) Breach of legal basis obligation – invalid consent

Google has also not collected sufficient consent from its users prior to obtaining and processing personal data for the purpose of ad personalization. According to GDPR, a consent shall always be  “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

CNIL found two reasons, for which Google’s reliance on the legal basis of user consent to process personal data for the purposes of its ad personalization activities was invalid under Articles 4 and 6 of the GDPR:

(i)  Pre-ticked boxes – under the “More Options” button which would allow users to specify preferences, including altering how personalized ads are shown, the box permitting ad personalization was already pre-ticked.

According to CNIL, this created an ambiguity, rather than being unambiguous as regulated in the GDPR. The CNIL also stated that users were not fully informed and could not fully understand the processing activities to which they were consenting. CNIL concluded that the consent information Google provided was “diluted in several documents”.

(ii)  For users to complete signing up with an account, users had to tick a box specifying that they have agreed to Google’s Terms of Service and tick a box that stated, “I agree to the processing of my information as described above and further explained in the Privacy Policy”. Such consent afforded Google the ability to utilise user’s data for an array of subsequent features. The CNIL held that users were not aware of all the features the consent was obtained for and as such, did not meet the specified threshold of providing a legal basis for processing personal data as per Article 6 of the GDPR.

Our data privacy lawyers will help you be compliant. Contact us here.

Epilogue

With the fine of 50mio EUR the French regulator emphasizes the seriousness of Google’s failings to comply with the GDPR.

Despite Google’s headquarters is in Ireland, the fine was issued by the French regulator. This is due to the fact that Irish authorities did not have “decision-making power” over Google’s Android operating system and Google’s services. Most possibly an appeal is going to be filed in the upcoming months, not only for the matter of jurisdiction but also for answering of proportionality (size) of the fine on one hand and significance to online advertising revenues.

The case clearly demonstrates the magnitude of the GDPR regime in practice and the impact that any breach of the GDPR can have on any business, small, medium or large. It also highlights the critical focus that EU DPAs have on the GDPR’s transparency requirements which seek to protect individuals from unlawful processing of their personal data.

We advise you to ensure that your data protection notices are appropriately brought to the attention of data subjects and that such notices and Privacy Policy are accurate, up-to-date, written in a simple language and fully meet all the requirements of the GDPR.


Our team of data protection legal experts will help you on this subject matter. If you need one, contact us here.

Call Now ButtonCall Us