French Data Protection Agency hits Google with €50m GDPR Penalty

CNIL, the French data protection regulator, has sanctioned Google with a €50m fine for breaching its obligations laid down by the European Union’s General Data Protection Regulation (GDPR).

The agency released a statement which said that the fine was being applied as Google was unable to supply users with information regarding its data consent policies. Additionally, the Internet giant did not allow users to manage how their private information is being used. Under GDPR, which became enforceable on May 25 2018, all companies must have the user’s ‘genuine consent’ before collecting their private data.

The original complaint was filed with CNIL by the group ‘None of Your Business’ which was founded by Austrian Privacy advocate Max Schrems. The other complaint was filed by France’s ‘Quadrature du Net’ group on behalf of 10,000 signatories.

A spokesperson for CNIL said: “(Also) the information provided is not sufficiently clear for the user to understand the legal basis for targeted advertising is consent, and not Google’s legitimate business interests. The amount decided, and the publicity of the fine is justified by the severity of the infringements observed regarding the essential principles of the General Data Protection Regulation (GDPR): transparency, information and consent. Moreover, the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.”

A Google spokesperson, reacting to the news, reiterated that the company is focusing on meeting the high standards of transparency and control that its users expect. They said that the company was reviewing CNIL’s decision in order to determine its next steps. He said: “People expect high standards of transparency and control from us. We are deeply committed to meeting those expectations and the consent requirements of the GDPR. We are studying the decision to determine our next steps.”

To date, this is the biggest fine to be issued for breaching GDPR legislation. This legislation states that a company which is found to be in breach of it may be fined €20m or 4% of annual global revenue for the previous year. Taking this into account, Google may be considered as fortunate given that the annual global revenue of the company for the last quarter of 2018 was just under €30bn according to Statista.

Schrems responded to the news in saying: “We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law,” said Schrems in a statement. Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”

Google is currently facing accusations of breaching GDPR in seven European Union Member States.