The CNIL has imposed a 50 million euro fine on Google on the grounds that the it lacks transparency, consent and satisfactory information for users.
On the 25th and 28th of May 2018, Google was criticised for failing to provide a valid legal basis for processing personal data, in particular for the purposes of personalised ads.
The CNIL’s sanction is based on three key problem areas:
- Lack of transparency: The CNIL has argued that relevant information is not easily accessible to Google’s users because it is scattered and hidden.
- Deficiencies in information: According to the CNIL, there is a vagueness and ambiguity in the drafting of basic information around data processing.
- Lack of consent: A lack of legal basis for the processing of data for personalised advertisements is included in the deficiencies already described, since the CNIL considers that the information provided to the user in this sense is not sufficient. In addition, the withdrawal options are neither clear nor easy to access, and consent is marked by default, without the user’s positive action.
Crucially, this is the first time that the CNIL has had to apply the maximum penalty allowed under the General Data Protection Regulation (GDPR). Critics have argued that the fine and associated press coverage are to be expected due to the seriousness of the breach. Similarly, since the tech giant’s economic model is partly based on the personalisation of advertisement, many agree that google should take a degree of responsibility to be compliant in that area.
The CNIL was competent to deal with this case under article 56 in relation to articles 61 and 62 of GDPR, after deriving from the acts of cooperation between European authorities that Google did not have a principal establishment in the EU territory.