On the 21st of January 2019, CNIL (The Commission Nationale de l’Informatique et des Libertés) fined Google under the GDPR (General Data Protection Regulation) with €50 million for the lack of transparency towards data subjects, for the lack of valid consent on ads personalization, and for not offering proper and clear information to the users.
The complaints were filed in May 2018 by two organizations: Noyb and La Quadrature du net (LQDN), the first complaint being filed on the 28th of May 2018 immediately after the GDPR law was enforced.
Google did not have a valid legal basis for processing user’s data for the ads personalization as mandated by GDPR.
Although Google is headquartered in Ireland, it has been decided that this case will be handled by the French data regulator.
Lack of transparency
Following the investigations carried by CNIL, it was observed that the giant tech did not obtain a clear consent to process the data because the information was displayed on several documents. ”The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions” argued the data regulator. ”Users are not able to fully understand the extent of the processing operations carried out by Google.”
Lack of valid consent
Google claims that it obtains the user’s consent to process data in the ads personalization. However, CNIL considers that the agreement is not sufficiently informed.
CNIL fined Google with €50 million. The established amount is justified by the gravity of the violations on the main principles of GDPR: transparency, information and consent. Google appealed the decision on the ground that the French Authority have no jurisdiction over its headquarters.
On the 12th of June, Google loses the appealing, being forced to pay the large amount established by the data regulator.
Sovy’s GDPR Essentials can help you with each of the steps laid out above:
- Walk through a data mapping exercise and build your data inventory.
- Train your employees with industry-standard eLearning courses.
- Maintain your compliance program in the cloud
- Manage cookie consent and data rights