On 21 January 2019, the French National Data Protection Commission (CNIL) has imposed a €50m (£44m) fine against Google LLC, following complaints made by the privacy rights groups None Of Your Business and La Quadrature du Net three days after the enactment of the General Data Protection Regulation (GDPR).
The CNIL found that, despite seeking to implement corrective measures, Google had:
- breached its obligations to act transparently and provide information in a way that was easily accessible to its users. Relevant information about data collection and processing was only accessible after several (and up to 5 or 6) actions, and was neither clear nor comprehensive, and
- did not have any legal basis for processing its users’ data in order to provide personalised adverts. Users had given consent to Google for all the processing purposes carried out by Google (including ads personalisation but also speech recognition and other purposes). Consent, under the GPDR, must be specific and given distinctly for each processing purpose.
This is a significant development in the field of data protection, demonstrating that at least one European Data Protection Agency is willing to flex its enforcement muscles, and reminding global firms that failures to comply with the GDPR may be met with multi-million pound fines.
This penalty from the CNIL is noteworthy for several reasons:
- Although Google LLC has European headquarters in Ireland, EU authorities agreed that Google did not have a “main establishment” in the European Union. Therefore, the “one-stop shop mechanism” did not apply and the Irish Data Protection Agency was not the “lead authority” to make decisions about Google LLC’s cross-border processing. Accordingly, it was open to the CNL to investigate the complaints into Google LLC’s processing operations.
- This is the largest fine ever levied under the GDPR (a Portuguese hospital was fined €400,000 in December 2018, and a German social media company was fined €20,000 in November 2018), and the first such enforcement action by the CNIL. Nonetheless, it is likely well below the maximum fine allowed under the GDPR (up to 4% of Google LLC’s annual global turnover).
- The CNIL declared that these breaches are ongoing, which was a significant factor in determining the size of the fine. It shall be interesting to see what, if any, further enforcement action is taken (by the CNIL or any other European DPA) in the event additional privacy complaints are issued against Google LLC for substantially the same activity.
- This is the first of a series of complaints that these privacy groups have reportedly made against several large technology companies to the CNIL. In the event that further fines are levied by the CNIL, it will be interesting to see if this results in France becoming the jurisdiction of choice for privacy campaigners.
This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.