You are here:
23 January 2019 / article

Google hit with highest GDPR fine so far by French data protection authority

The French data protection authority (CNIL) has sanctioned Google with a record fine of EUR 50 million under the General Data Protection Regulation (GDPR) for lack of transparency, inadequate information and lack of valid consent, in particular, regarding its ads personalization.

European Commission scrutinises competition issues in bank loan syndication

The penalty is based on group complaints that the CNIL received on May 25 and 28 2018 from two privacy rights groups, namely; None Of Your Business (NOYB) and La Quadrature du Net (LQDN).

The GDPR establishes the ‘one-stop-shop’ principle, which provides that if an organization conducts cross-border data processing, the supervisory authority based in the member state of the organization’s main establishment (often the organization’s HQ) will be the lead supervisory authority. Although Google's European HQ is based in Ireland, the decision making authority regarding the issue at point, i.e. data processing concerning Google's Android operating system and Google's services, did not lie with Google’s European HQ in Ireland at the moment the investigation was launched, but in fact with Google’s corporate HQ, located in Mountain View, U.S.A..
In that sense, Google Ireland was not the main establishment and the “one-stop-shop mechanism” was therefore not applicable. It was thus decided among the relevant data protection authorities that the case would be handled by the CNIL.

Following the investigations carried out by the CNIL, the authority observed that Google failed to provide sufficient information to users about its data consent policies and didn’t provide them with enough control over how their information is used. The CNIL stated that Google failed to obtain clear consent since "essential information" was "disseminated across several documents". Moreover, "the relevant information is accessible after several steps only, implying sometimes up to five or six actions".

The CNIL feels that the amount of the fine is justified considering the severity of the infringements regarding the essential principles of the GDPR (transparency, information and consent).

In a statement, Google said: "People expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of the GDPR."

Also interesting to note is that Google has also been accused of separate GDPR violations across seven European countries over its location tracking which according to the accusation reflects a “deceptive practice”.

Keep an eye out for our more thorough analysis of CNIL’s decision and its possible impact, as well as our updates regarding the separate alleged GDPR violations.

The report of the CNIL can be read here.

For more information please contact our Data Protection & Privacy team.

Class actions for breaches of the GDPR

Since the GDPR entered into force, there has been ample attention for regulatory enforcement and high fines. read more
Belgian Data Protection Authority scrutinised by Brussels Markets Court

Belgian Data Protection Authority scrutinised by Brussels Markets Court

In February 2020, the Markets Court (a division of Brussels’ Court of Appeal) annulled the decision by which the Belgian Data Protection Authority (BDPA) had... read more
Belgian DPA releases recipe for compliant cookies

Belgian Data Protection Authority releases recipe for compliant cookies

During these corona times, we have noticed a trend whereby many of us have started baking (cookies, cakes, and other delicious treats). It now appears that the... read more