Google issued with €50 million fine by CNIL for data protection practices

The French counterpart to our own Information Commissioner, the Commission nationale de l'informatique et des libertés (CNIL), has issued a €50 million fine (£44 million or nearly US$57 million) against Google LLC.

The investigation by CNIL and the resulting fine came about following complaints submitted to CNIL in May 2018 by two data protection pressure groups: None of Your Business (NYOB) led by privacy campaigner Max Schrems, and La Quadrature du Net (LQDN) on behalf of 9,974 individuals.

 These complaints were that:

• Android mobile users were forced to accept Google’s privacy policy and general terms and conditions in order to use their device (submitted by NYOB); and

• Google has no lawful basis to process personal data for behaviour analysis and advertising personalisation (submitted by LQDN).

The CNIL found that while Google had made progress in its data protection practices in recent years, it had still failed to comply with the requirements of the GDPR by:

• not processing personal data in a transparent manner;

• not providing sufficient or satisfactory information to data subjects regarding its processing activities; and

• collecting invalid consent to the processing of personal data for advertising personalisation.

Under the GDPR the maximum fine that CNIL could have imposed was 4% of Google’s annual worldwide turnover. Doing so would have left Google with a bill for €3.84 billion (US$4.28 billion or £3.35 billion). On reflection, CNIL’s fine (0.005% of Google’s turnover), while much more significant than any levied under the old data protection rules, could certainly have been worse. As the European Information Commissioners adjust to their new powers and sanctions, perhaps we will see more willingness to impose substantial fines. Of course, it is best to avoid fines altogether!