CNIL imposes 50 million fine on Google
The complaints against Google were filed with the French data protection authority (CNIL) by the NOYB (None Of Your Business) association and the LQDN (La Quadrature du Net). Both criticized Google for not having a valid legal basis for processing personal data, especially for the purpose of personalizing advertising.
The defects found
CNIL found that the information provided was not easily accessible to users. Essential information, such as the purposes for which the data are processed, the duration for which the data are stored, and the categories of data used to personalize the advertising, are scattered across several documents and are only accessible via several links and buttons.
Likewise, the information is not always clear and understandable for the user. The scope of Google’s processing was also not comprehensible to users. The information provided is not clear enough for users to understand that the legal basis for advertising personalization is user consent and not Google’s legitimate interest.
In addition, the consent of the users was not effectively obtained because they were not properly informed about it and the consent was not specific and unambiguous. It was not possible for users to identify the variety of services involved in this processing (e.g. Youtube, Google Maps, Google Search, etc.). Consent to personalized advertising is also ambiguous because it is allowed as a default setting. According to the GDPR, the user must take a positive action to agree to consent (e.g., check a box).
Consent is also not specific because users give only one common consent for all processing operations. However, according to the GDPR, the user must give consent for each processing individually for it to be legally effective.
Why the penalty was so high
The French data protection authority therefore decided to fine Google 50 million euros. The high fine resulted from the seriousness of the identified deficiencies, namely the violation of the principles for the processing of personal data.
Update: Google has appealed the penalty.
Art des Verstoßes:
violated duty to inform
Waren sensible Daten betroffen?:
Violation of GDPR Paragraph:
12. Transparent information, communication and modalities for the exercise of the rights of the data subject
13. Information to be provided where personal data are collected from the data subject
14. Information to be provided where personal data have not been obtained from the data subject
21. Right to object
25. Data protection by design and by default
31. Cooperation with the supervisory authority
5. Principles relating to personal data processing
6. Lawfulness of processing
7. Conditions for consent
83. General conditions for imposing administrative fines