French CNIL Data Protection Agency Sanctions Google with €50m Penalty for GDPR Breach

CNIL, the French data protection regulator, has advised Google that it must pay a €50m fine for violating its obligations as per the European Union’s General Data Protection Regulation (GDPR).

The agency published a statement which confirmed that the fine was being applied as Google was unable to provide users with information in relation to its data consent policies. Along with this, the Internet giant did not  permit users to manage how their private information is being used. Under the terms of GDPR, which became enforceable on May 25 2018, all companies must have the user’s ‘genuine consent’ before obtaining their private data.

The initial complaint was submitted to the CNIL by the group ‘None of Your Business’ which was established by Austrian Privacy advocate Max Schrems. Another complaint was submitted by France’s ‘Quadrature du Net’ group on behalf of a group of 10,000 signatories.

A CNIL representative said: “(Also) the information provided is not sufficiently clear for the user to understand the legal basis for targeted advertising is consent, and not Google’s legitimate business interests. The amount decided, and the publicity of the fine is justified by the severity of the infringements observed regarding the essential principles of the General Data Protection Regulation (GDPR): transparency, information and consent. Moreover, the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.”

A Google representative, commenting on the news, said that the company is dedicated to meeting the high standards of transparency and control that its users expect. He added that the company was overlooking CNIL’s decision in order to decided what its next steps will be. He said: “People expect high standards of transparency and control from us. We are deeply committed to meeting those expectations and the consent requirements of the GDPR. We are studying the decision to determine our next steps.”

So far, this is the biggest fine to be sanctioned in relation to a GDPR breach. This data privacy legislation states that a company which is discovered as being breach may be fined €20m or 4% of annual global revenue for the previous financial year. Using this method to calculate a fine, Google may be considered as very lucky given that the annual global revenue of the company for the last quarter of 2018 was just under €30bn according figures made public by Statista.

Schrems gave his reaction to the news of the fine: “We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law,” said Schrems in a statement. Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”