January 21, 2019

French data protection enforcer fines Google for data protection violations

The French data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), has imposed the first penalty for violation of GDPR – a €50 million (approximately $57 million) fine on Google LLC for violating the European General Data Protection Regulation (GDPR).  The fine resulted from CNIL’s investigation of complaints filed by two data privacy watchdog organizations in May 2018, when the GDPR came into effect.  CNIL’s allegations focus on a lack of transparency and a lack of informed consent.  Specifically, CNIL alleges that information about the company’s use of personal information, the types of information used to personalize advertisements, the legal basis for processing, the period during which the company retains some user data, and the collection of information about the user’s location is not sufficiently accessible.  CNIL also concluded that Google’s method of obtaining consent is not valid because (i) information about how the data will be used is dispersed in various locations throughout the user interface, making it impossible for a user to realize the breadth of services for which personal data will be used, and (ii) the consent given is not sufficiently specific and unambiguous.  CNIL could have imposed a harsher fine – GDPR allows for fines up to 4% of “global turnover” – but explained that it thought the fine adequately captured the seriousness of the allegations.