22 Jan 2019
France's National Data Protection Commission (CNIL) issued a 50 million euros fine against Google on 21 January 2019 for GDPR infringements. This was the highest fine for privacy violations so far. CNIL’s decision on the amount was in fact based on the severity of the infringements on the GDPR principles of transparency, information and consent.
After having received two complaints by noyb.eu and the French NGO ‘La Quadrature du Net’, CNIL sent them to its European counterparts to assess whether it had authority to deal with it. According to the Regulation 2016/679, ‘lead authority’ is the Data Protection Authority (DPA) of the country where the organization has its main establishment. Google’s headquarters are located in Ireland. Yet, the Irish DPA considered that Google did not have a main establishment in the European Union for the processing operations carried out during the creation of a Google account via a mobile phone system Android. So, the one-stop-shop mechanism could not be applied and CNIL was as competent as the other DPA.
After online inspections, CNIL noticed that essential information, such as the data processing purposes and the categories of personal data used for the ads personalization, were neither clear nor easily accessible for users. The purposes of processing were described in a vague way. So, the user was not able to understand that the legal basis of processing operations for the ads personalization was the consent and not the Google’s legitimate interest. Moreover, this information was accessible after several actions which required clicking on links and buttons to access complementary information.
CNIL also observed that Google did not validly obtain the user’s consent for ads personalization processing. Under GDPR, companies are required to ask for a specific and unambiguous user’s consent before collecting their information. They should provide enough information about their data consent policies. However, in the case of ads personalization, user had to click on ‘more options’ to configure the display of personalized ads. This option, though, was already pre-ticked. This did not comply with the GDPR since consent should have been a clear affirmative action, such as ticking a non-pre-ticked box. As for the boxes that the user had to tick before creating the account, they referred to the consent for all the processing operations purposes. So, consent given by the user was not specific. Finally, the information provided by Google about the processing operations for ads personalization was not clear and thus the user could not be aware of their extent.
All these violations observed deprived users of having control over their data and might entail the disclosure of their private life. In any case, the great amount of people using the operating system Android to create a Google account and the Google’s economic model partially based on the ads personalization render the compliance with the Regulation essential.