On 21 January 2019, the French data protection watchdog, CNIL, fined Google €50 million following an investigation into the organisation’s General Data Protection Regulation (GDPR) compliance.
Whilst only a drop in the ocean for Google, who reportedly made $33.74 billion in the last quarter alone, the fine shows the enhanced abilities of privacy regulators following the implementation of the new data protection regime.
The CNIL investigation was launched shortly after complaints were received on 25 May 2018 from NOYB, an Austrian non-profit organisation run by Max Schrems, and La Quadrature du Net, a French NGO, relating to ‘forced consent’.
The investigation concluded that Google breached the GDPR in the following ways:
- By violating the obligations of transparency and providing information to data subjects; and
- By violating the obligation to have a legal basis for personalising advertisements (including by not obtaining valid consent for this).
On their website, CNIL state that, in relation to the first of the breaches, Google has not provided information in an easily accessible format, stating that ‘essential information… [is] excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information’ the number of clicks required to access the information was between 5 or 6 and, once accessed, was not deemed to be sufficiently clear or comprehensive.
With regard to the second violation, Google relies on the consent of the user in order to process data for advertising personalisation purposes. However, CNIL found that this was not validly obtained as it was not sufficiently informed, specific or unambiguous. In particular, the use of a pre-ticked box to indicate consent falls afoul of the definition contained within Article 4(11) of the GDPR that stipulates that a ‘…clear affirmative action’ is required.
The significance of this finding is primarily a result of the size of the fine, which is now the largest fine to have been levied by any European regulator for a GDPR breach. Other fines to date have been between €4,800 and €400,000, a far cry from the €50 million levied against Google.
Additionally, the case can be seen as a warning shot to technology giants that some, such as NOYB, believe use their position to obtain an advantage and comply with data protection laws in creative ways. Consequently, the eight other companies, including the likes of Amazon Prime, Apple Music, Netflix, Spotify and YouTube that were subject of complaints from NOYB relating to violations of Article 15 of the GDPR (Right of access by the data subject) should be understandably concerned that the fine levied against Google could set an expensive precedent.
Whilst Google has yet to announce whether it will be appealing the fine, it did release a statement that stipulated that it understands that high standards of transparency were expected of it and that Google is ‘committed to meeting those expectations and the consent requirements of the GDPR’.
Edwin Coe LLP is a Limited Liability Partnership, registered in England & Wales (No.OC326366). The Firm is authorised and regulated by the Solicitors Regulation Authority. A list of members of the LLP is available for inspection at our registered office address: 2 Stone Buildings, Lincoln’s Inn, London, WC2A 3TH. “Partner” denotes a member of the LLP or an employee or consultant with the equivalent standing.