The French data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), has imposed the first penalty for violation of GDPR – a €50 million (approximately $57 million) fine on Google LLC for violating the European General Data Protection Regulation (GDPR). The fine resulted from CNIL’s investigation of complaints filed by two data privacy watchdog organizations in May 2018, when the GDPR came into effect. CNIL’s allegations focus on a lack of transparency and a lack of informed consent. Specifically, CNIL alleges that information about the company’s use of personal information, the types of information used to personalize advertisements, the legal basis for processing, the period during which the company retains some user data, and the collection of information about the user’s location is not sufficiently accessible. CNIL also concluded that Google’s method of obtaining consent is not valid because (i) information about how the data will be used is dispersed in various locations throughout the user interface, making it impossible for a user to realize the breadth of services for which personal data will be used, and (ii) the consent given is not sufficiently specific and unambiguous. CNIL could have imposed a harsher fine – GDPR allows for fines up to 4% of “global turnover” – but explained that it thought the fine adequately captured the seriousness of the allegations.
January 21, 2019
French data protection enforcer fines Google for data protection violations
Related by Topic
New Post
SEC settles with Flagstar to resolve charges related to misleading cyber disclosures
December 17, 2024
News Alert
FTC bans three data brokers from collecting and selling consumers’ sensitive location data
December 6, 2024
News Alert
The SEC Settles Enforcement Actions with Four Companies for Cyber Disclosure Failures
October 29, 2024
Insight