Google Hit With £44 Million GDPR Fine
The CNIL’s restricted committee found that Google had breached the GDPR in two ways.
France’s National Commission on Informatics and Liberty (CNIL) has imposed a record 55 million euro (£44 million) fine on Google for a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”.
On the 25th and 28th May 2018, CNIL received group complaints from the associations, None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”). LQDN was mandated by 10,000 people to refer the matter to the CNIL. The two groups claimed Google did not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purposes.
The CNIL launched its investigation in September 2018 in order to verify the compliance of the processing operations implemented by Google with the French Data Protection Act and the GDPR.
The CNIL’s restricted committee, responsible for examining breaches of the Data Protection Act, determined that there had been two types of breaches of the GDPR.
The committee said Google had not obtained clear consent to process data because “essential information” was “disseminated across several documents”.
It added: “The relevant information is accessible after several steps only, implying sometimes up to five or six actions. Users are not able to fully understand the extent of the processing operations carried out by Google.”
The CNIL said the company had also failed to obtain a valid legal basis to process user data.
“The information on processing operations for the ads personalisation is diluted in several documents and does not enable the user to be aware of their extent,” the CNIL said in a statement.
The option to personalise ads, it noted, was “pre-ticked” when creating an account, going against GDPR.
The committee explained: “The user gives his or her consent in full, for all the processing operations purposes carried out by Google based on this consent (ads personalisation, speech recognition, etc). However, the GDPR provides that the consent is ‘specific’ only if it is given distinctly for each purpose.”
Google said: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.”