In France, the data protection regulatory authority CNIL has sanctioned Google with its largest General Data Protection Regulation financial penalty to date, €100m, in relation to a breach of the GDPR legislation which governs the use of online advertising trackers (cookies).In its ruling CNIL said that Google failed to confirm consent from visitors to its websites before placing advertising tracking cookies on their computer. In the ruling, the CNIL said: “On 16 March 2020, the CNIL conducted an online investigation on the website google.fr and found that when a user visited this website, cookies were automatically placed on his or her computer, without any action required on his or her part. Several of these cookies were used for advertising purposes”. It added: “Since this type of cookies can only be placed after the user has expressed his or her consent, the restricted committee considered that the companies had not complied with the requirement provided for in Article 82 of the French Data Protection Act regarding the collection of prior consent before placing cookies that are not essential to the service.
It was also confirmed that the majority of the fine, €60m, must be paid for by the Google US-registered entity Goggle LLC with the just €€40m to be paid by the Google EU-based entity Google Ireland Limited. The CNIL denied the claims of Google that the body did not have the power to impose the sanctions due to the fact that Google’s EU headquarters are located in Ireland and Luxembourg and the data regulatory authorities in those EU member states should be conducting the investigation. In the past, the relevant data protection entities in Ireland and Luxembourg had tended to take a softer approach in relation to the sanctioning of GDPR fines.
Along with the financial penalties, CNIL also directed Google to make all impacted individuals aware of the breach, in accordance with Article 82 of the French Data Protection Act, within three months. If it fails to do so it will be faced with a fine of €100,000 for every further day that the delay persists.This represents the largest ever single fine sanctioned by the CNIL and comes on the same day that a €35m penalty was sanctioned against online shipping giant Amazon. Coincidentally the previous largest fine sanctioned by CNIL was for a breach of the EU data privacy rules by Google. Google has long been at odds with the European Commission also and, to date, has been fined more than €8.2bn euros in three antitrust cases.
Responding to the fines a Google spokesperson said in an officially-released statement: “We stand by our record of providing upfront information and clear controls, strong internal data governance, secure infrastructure, and above all, helpful products. Today’s decision under French ePrivacy laws overlooks these efforts and doesn’t account for the fact that French rules and regulatory guidance are uncertain and constantly evolving.”