Google fined 50mio EUR for GDPR breach
Google was found in breach of the European Union’s General Data Protection Regulation (GDPR) and received a fine of 50mio EUR by the French data protection authority (Commission nationale de l’informatique et des libertés – the CNIL) on the 21 January 2019.
The complaints came from two associations in May 2018, claiming that Google did not have sufficient legal justification to process personal data from users, specifically the ones regarding ad personalization.
The regulator found two main infringements, namely:
1) Breach of transparency and information obligations
Google did not make the relevant and mandatory data protection notice which would be easily accessible to users.
According to the findings of CNIL, the information provided to users, regarding how their data was to be processed, how long it was to be retained, or how the data would be used in features such as ad personalization, was insufficient. Information was scattered and users had to go through multiple (5 to 6) successive clicks to access the information. Furthermore, according to the CNIL, information was “not always clear and comprehensive” and found to be rather generic. It contravened transparency obligations under Articles 12 and 13 of the GDPR.
Moreover, Google was also not clear regarding the intent for processing users’ data, CNIL held that Google’s processing activities were “particularly massive and intrusive” due to the multiple purposes for which Google processed personal data. Users were not sufficiently informed about the range of the services, websites and other features involved in processing their data. The services utilizing this data included not only Google search, but also Google Maps, YouTube and around 17 other services.
2) Breach of legal basis obligation – invalid consent
Google has also not collected sufficient consent from its users prior to obtaining and processing personal data
for the purpose of ad personalization. According to GDPR, a consent
shall always be “freely given, specific, informed and unambiguous
indication of the data subject’s wishes by which he or she, by a
statement or by a clear affirmative action, signifies agreement to the
processing of personal data relating to him or her”.
found two reasons, for which Google’s reliance on the legal basis of
user consent to process personal data for the purposes of its ad
personalization activities was invalid under Articles 4 and 6 of the
(i) Pre-ticked boxes – under the “More Options” button which would allow users to specify preferences, including altering how personalized ads are shown, the box permitting ad personalization was already pre-ticked.
According to CNIL, this created an ambiguity, rather than being unambiguous as regulated in the GDPR. The CNIL also stated that users were not fully informed and could not fully understand the processing activities to which they were consenting. CNIL concluded that the consent information Google provided was “diluted in several documents”.
For users to complete signing up with an account, users had to tick a
box specifying that they have agreed to Google’s Terms of Service and
tick a box that stated, “I agree to the processing of my information as
consent afforded Google the ability to utilise user’s data for an array
of subsequent features. The CNIL held that users were not aware of all
the features the consent was obtained for and as such, did not meet the
specified threshold of providing a legal basis for processing personal
data as per Article 6 of the GDPR.
Despite Google’s headquarters is in Ireland, the fine was issued by the French regulator. This is due to the fact that Irish authorities did not have “decision-making power” over Google’s Android operating system and Google’s services. Most possibly an appeal is going to be filed in the upcoming months, not only for the matter of jurisdiction but also for answering of proportionality (size) of the fine on one hand and significance to online advertising revenues.
The case clearly demonstrates the magnitude of the GDPR regime in practice and the impact that any breach of the GDPR can have on any business, small, medium or large. It also highlights the critical focus that EU DPAs have on the GDPR’s transparency requirements which seek to protect individuals from unlawful processing of their personal data.