Co-authored by Aurore Palmisano
On 21 January 2019, the CNIL, the French data protection authority ordered Google to pay a fine of 50 million based on a violation of the General Data Protection Regulation (GDPR). This constitutes the largest fine reported to have been imposed under GDPR since it entered into force on 25 May 2018.
In May 2018, two consumer privacy rights organisations filed a collective action before the CNIL against Google. According to them, the American search engine did not have a valid legal basis to process the personal data of the users of its services and did not satisfy GDPR's requirements regarding transparency, information and valid consent. The complaints were mostly associated with Google's ad personalisation services.
The CNIL's restricted committee considered that Google violated the obligations of transparency and information enshrined in GDPR. It found that essential information such as processing purposes, retention periods, and categories of personal data used for purposes of personalised advertising were diluted among too many documents and needed too many steps to be reached, making them not easily accessible enough for users. It was also found that the information which was provided was not always clear and understandable and that users were then unable to fully understand the implications of the processing of their personal data.
The French regulator further held that Google did not fulfill its obligation to have a legal basis for data processing in the form of ads personalisation processing. The CNIL concluded that Google failed to obtain its users' adequate consent for three main reasons.
First, the users were not sufficiently informed to validly consent to the processing of their personal data. The information regarding this processing was disseminated in multiple documents and the display of the ads personalisation option did not clearly explain which services, applications and websites would be involved in the processing of the data...