CNIL_sanction_google
23. January 2019

50 Million Euro financial penalty imposed on Google: The CNIL counter-attacks!

On 21 January 2019, the CNIL’s (french national data protection commission) restricted committee decided to impose a penalty of 50 million euros on Google for violation of the obligations of transparency, information and consent imposed by the General Data Protection Regulation. [1] Thunderclap and drum roll… the web giant has received the most important sanction pronounced so far by the CNIL.

Everyone may remember the collective complaints that were filed as soon as the European Data Protection Regulation (GDPR) became effective on 25 May 2018 by the None Of Your Business association and the La Quadrature du Net association.

What are the legal bases for this sanction?

During their investigation, the CNIL’s restricted committee could observe two breaches of the GDPR:

  • A violation of the obligations of transparency and information

The CNIL stated that important information concerning, for example, the use or storage of data was not presented in a clear and transparent manner by Google.

  • A violation of the obligation to have a legal basis for ads personalization and ads targeting processing

It’s important to recall that the validity of a consent is verified on the basis of 4 fundamental criteria: it must be free, informed, unambiguous and specific. In this case it is neither informed, unambiguous nor specific. Informed: Information on data processing is scattered over several documents, making it difficult to read. Univocal: users are forced to search the configuration page before registration and uncheck a box (a passive opt-in which is specifically prohibited by the GDPR ). Specific: Users must give their full consent, once and for all,  to the terms of use and privacy policy in order to use Google’s services.

In a statement, the American web giant announced that it would take into consideration its users’ desire for transparency but has not yet reacted directly to the claim. Some will say that 50 Million euros  is a trifle for a company that generates a turnover of about 285 million euros per DAY (in 2017 Google had a turnover of 96 billion euros)!

But it is still a big step that has been taken by the CNIL, as the members of the Quadrature du Net hope, this may be the beginning of trouble for Google, indeed the association had also filed a complaint for non-compliance with the GDPR about the Youtube, Gmail and Google Search tools. As you can see on an image from the Quadrature du Net website: “Google – 50 Million for a start”. To be continued.

[1] https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc

21. November 2018
Six months into GDPR: what we learned

Call or write us:

+49 30 2178066
[email protected]

Nils Olhorn
Customer service manager
Monday – Friday 9.00 – 18.30

Your data will of course be treated confidentially. Data transmission is encrypted. Further information can be found in our data privacy declaration.