French National Data Protection Commission (“CNIL”) fines Google €50,000,000 for data protection violations

French National Data Protection Commission (“CNIL”) fines Google €50,000,000 for data protection violations

Brief: In the first use of its powers under The General Data Protection Regulation (“GDPR”), CNIL, the French supervisory authority and equivalent of our Data Protection Commission (“DPC”), has fined Google for breach of GDPR rules regarding legal basis for processing and transparency and information.

Basis: Google’s obligations to comply with these rules are outlined in Articles 6 and 12, respectively, of the GDPR. Infringements relating to Articles 6 and 12 attract administrative fines of up to €20 million, or up to 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher). Whilst the CNIL has not provided details regarding the basis or breakdown of these fines, it appears that they may have imposed fines of up to 4% and in excess of €20 million.

Background: Two not-for-profit organisations made complaints to the CNIL on 25 and 28 May 2018, claiming Google had no legal basis for processing the personal data of its users (data subjects), in particular for the purpose of ad personalisation. The CNIL found that the Google privacy notice was not always clear or comprehensive for users and this breached Google’s obligations regarding transparency and information. They also found that Google was in violation of its duty to have a legal basis for processing, namely, specific, informed and unambiguous consent, as the process for obtaining consent by Google had pre-ticked boxes and bundled consent.

In late January 2019, Google confirmed it is to appeal against its record €50 million fine levied by the CNIL over non-compliance with the GDPR. “We have worked hard to create a GDPR consent process for personalised ads that is as transparent and straight forward as possible”, the company said in a statement. Our view on this is that the European Court of Justice will strictly apply the consent rules under GDPR which demand a high threshold of transparency. Consent must be unequivocally and freely given to any digital online search engine which processes personalised ads in a targeted way. The GDPR does not limit publishers or original content creators or even technical companies in Europe from processing personal data as long as it is done lawfully. The approach taken by the European Courts in this case will be interesting and we expect it to be unforgiving.

This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Legal advice should always be taken before acting on any of the matters discussed.