French Data Protection Agency hits Google with €50m GDPR Fine

January 23, 2019


CNIL, the French data protection watchdog, has sanctioned Google with a €50m penalty for breaching its responsibilities laid down by the European Union’s General Data Protection Regulation (GDPR).

The organization issued a statement which said that the penalty was being applied as Google was not able to supply users with information concerning its data approval policies. Moreover, the Internet giant didn’t allow users to manage how their confidential information is being used. Under GDPR, which became enforceable on May 25, 2018, all businesses should have the user’s ‘genuine consent’ before collecting their personal data.

The initial complaint was filed with CNIL by the group ‘None of Your Business’ which was established by Austrian Privacy advocate Max Schrems. The other complaint was filed by France’s ‘Quadrature du Net’ group on behalf of 10,000 signatories.

A representative for CNIL said: “(Also) the information provided is insufficiently clear for the user to know the legal basis for targeted advertising is consent, and not Google’s genuine business interests. The amount decided, and the publicity of the penalty is justified by the harshness of the infringements observed concerning the important principles of the General Data Protection Regulation (GDPR): transparency, information, and approval. Additionally, the violations are continuous breaches of the Regulation as they are still observed to date. It’s not a one-off, time-limited, infringement.”

A Google representative, responding to the news, reiterated that the company is concentrating on meeting the high standards of transparency and control that its users suppose. They said that the business was reviewing CNIL’s decision in order to decide its next steps. He said: “People assume high standards of transparency and control from us. We are deeply dedicated to meeting those expectations and the approval requirements of the GDPR. We are studying the decision to decide our next steps.”

So far, this is the biggest penalty to be issued for breaching GDPR law. This law states that a business which is found to be in breach of it may be penalized €20m or 4% of annual global income for the preceding year. Taking this into account, Google may be considered as lucky given that the annual global income of the company for the last quarter of 2018 was just under €30bn as per Statista.

Schrems replied to the news in saying: “We are very delighted that for the first time a European data safety authority is using the possibilities of GDPR to punish clear violations of the law,” said Schrems in a statement. After the introduction of GDPR, we have found that big companies such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that just claiming to be compliant is not sufficient.”

Google is presently facing accusations of breaching GDPR in seven European Union Member States.