On January 21, 2019, a select panel of the French data protection authority, CNIL, which has the power to impose sanctions, fined a major technological services provider 50 million following its failure to comply with the obligations provided for in the General Data Protection Regulation (GDPR). The provider did not adhere to transparency and information obligations, and it did not set up a legal database for processing personal data collected for advertising purposes.
Following the implementation of the GDPR on May 25, 2018, the CNIL received collective complaints concerning this particular Internet giant from Austrian nonprofit None of Your Business and French NGO La Quadrature du Net. They claimed that it did not have a valid legal database for processing the personal data of service users, in particular for the purpose of the personalization of advertisements.
In order to monitor the provider's compliance with the GDPR and the Data Protection Act concerning personal data processing, the CNIL analyzed the user experience and the accessible information during the registration process when configuring mobile equipment.
The CNIL first noted a breach of transparency and information obligations. In particular, users did not have easy access to relevant information; it was spread over several documents that were accessible only in multi-stage processes. In addition, the information provided was not always clear and understandable. Users could not therefore understand the extent of the data processing operations carried out by the service. The intended purposes of the information were...