Google has lost in the appeal of its €50m General Data Protection Regulation fine from the French data protection authority, the CNIL (Commission nationale de l’informatique et des libertés), in January 2019.
The fine was applied to Google as a result of it being rule that the group was carrying out a non-transparent consent gathering process which it is not informing users of so they can make an informed decision on consent in addition to the absence of a proper legal reason for completing the processing of any personal data for advertising purposes.
The first complaints in relation to this were submitted by Max Schrems-founded data privacy advocacy group ‘None of Your Business’ along with the French advocacy group ‘Quadrature du Net’ with 10,000 signatories. In the appeal hearing the Conseil d’État, a part of the French government that acts as the supreme court of administrative justice, turned down Google’s request of the Internet giant to have the penalty dismissed.
After the penalty was revealed during 2019, Google acted quickly to appeal the CNIL decision. The group made public a statement which said it was “concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond” and attempted to justify its consent process for serving personalized ads.
The appeal was submitted with the claim that the French DPA doesn’t have jurisdiction over Google’s European headquarters as the office is actually located in Dublin, Ireland. Due to this, it was stated, the Irish Data Protection Commission is that relevant body that should be leading all investigations into complaints regarding it work methods. However the Conseil d’État did not agree with these claims.
Last January when the fine was sanctioned it was the highest fine to be applied due to GDPR legislation, which became enforceable on May 25 2018. Since that time, however, a larger fine has been sanctioned in the United Kingdom against British Airway by the Information Commissioner’s Office (ICO) in the United Kingdom. A €204m ($229m) was applied against the airline in July 2019 in relation to a 2018 data breach. The CNIL and ICO have, to date, held companies to task in relation to GDPR data breaches whereas the Irish agency seek to implementing a more lenient approach.
After the breach hearing at the CNIL last January Schrems stated: “We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law. Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”