On 21/Jan/2019, Google Inc received a privacy fine of EUR 50,000,000. The enforcement authority (French Data Protection Authority (CNIL)) has cited these legal provisions in imposing the fine on Google Inc: Article 5 GDPR/Article 6 GDPR/
|Date of enforcement action:|
|France||EUR 50,000,000 (US$55,372,000)|
|Defendant company or entity:||Industry segment:|
|Google Inc||Technology /|
On 21 January 2019, the CNIL’s restricted committee imposed a financial penalty of 50 Million euros against the company GOOGLE LLC, in accordance with the General Data Protection Regulation (GDPR), for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.
On 25 and 28 May 2018, the National Data Protection Commission (CNIL) received group complaints from the associations None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”). LQDN was mandated by 10 000 people to refer the matter to the CNIL. In the two complaints, the associations reproach GOOGLE for not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalization purposes.
The violations observed by the restricted committee
On the basis of the inspections carried out, the CNIL’s restricted committee responsible for examining breaches of the Data Protection Act observed two types of breaches of the GDPR.
A violation of the obligations of transparency and information:
First, the restricted committee notices that the information provided by GOOGLE is not easily accessible for users.
Indeed, the general structure of the information chosen by the company does not enable to comply with the Regulation. Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information. The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions. For instance, this is the case when a user wants to have a complete information on his or her data collected for the personalization purposes or for the geo-tracking service.
Moreover, the restricted committee observes that some information is not always clear nor comprehensive.
Users are not able to fully understand the extent of the processing operations carried out by GOOGLE. But the processing operations are particularly massive and intrusive because of the number of services offered (about twenty), the amount and the nature of the data processed and combined. The restricted committee observes in particular that the purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes. Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company. Finally, the restricted committee notices that the information about the retention period is not provided for some data.
A violation of the obligation to have a legal basis for ads personalization processing:
The company GOOGLE states that it obtains the user’s consent to process data for ads personalization purposes. However, the restricted committee considers that the consent is not validly obtained for two reasons.
First, the restricted committee observes that the users’ consent is not sufficiently informed.
The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent. For example, in the section “Ads Personalization”, it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, You tube, Google home, Google maps, Playstore, Google pictures…) and therefore of the amount of data processed and combined.
Then, the restricted committee observes that the collected consent is neither “specific” nor “unambiguous”.
When an account is created, the user can admittedly modify some options associated to the account by clicking on the button « More options », accessible above the button « Create Account ». It is notably possible to configure the display of personalized ads.
The fine imposed by the restricted committee and its publicity
The CNIL restricted committee publicly imposes a financial penalty of 50 Million euros against GOOGLE.
This is the first time that the CNIL applies the new sanction limits provided by the GDPR. The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.
Despite the measures implemented by GOOGLE (documentation and configuration tools), the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations. The restricted committee recalls that the extent of these processing operations in question imposes to enable the users to control their data and therefore to sufficiently inform them and allow them to validly consent.
Moreover, the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.
Finally, taking into account the important place that the operating system Android has on the French market, thousands of French people create, every day, a GOOGLE account when using their smartphone. Furthermore, the restricted committee points out that the economic model of the company is partly based on the ads personalization. Therefore, it is of its utmost responsibility to comply with the obligations on the matter.
(CNIL, Official Release in EN)
Enforcement authority: Type of enforcement action: French Data Protection Authority (CNIL) Penalty notice
Subject to appeal? Not known
Cite this fine in your work
Data Privacy Fines Index. (2019-01-21 04:26) Google Inc fined EUR 50 million. dataprivacyfines.com. Retrieved from https://dataprivacyfines.com/fine/google-inc-eur-50-million/
Entry last updated: 2020-04-13 10:56 GMT.