In a landmark decision highlighting the stringent enforcement of the General Data Protection Regulation (GDPR), the French data protection authority (CNIL) levied a substantial 50 million euro penalty against Google LLC on January 21, 2019. This significant fine, which translates to approximately 54 million US dollars based on exchange rates at the time, was imposed due to Google’s failures in transparency and obtaining valid user consent for personalized advertising. This case serves as a critical example of the financial repercussions for companies not adhering to GDPR regulations and underscores the importance of data privacy for users worldwide.
The CNIL’s investigation was triggered by group complaints filed on May 25 and 28, 2018, by privacy advocacy organizations None Of Your Business (NOYB) and La Quadrature du Net (LQDN). LQDN represented 10,000 individuals in their complaint, alleging that Google lacked a legitimate legal basis for processing user data, particularly for the purposes of personalizing advertisements. These complaints marked the beginning of a thorough examination into Google’s data processing practices under the newly implemented GDPR framework.
Following the complaints, the CNIL initiated an immediate investigation. Recognizing the GDPR’s “one-stop-shop mechanism,” designed for EU-established organizations to have a single point of contact with data protection authorities, the CNIL engaged with its European counterparts in June 2018. This mechanism typically designates the Data Protection Authority (DPA) in the country of an organization’s “main establishment” as the lead authority. In Google’s case, the expected lead authority would have been the Irish DPA, given Google’s European headquarters are located in Ireland.
However, discussions revealed that Google’s Irish establishment did not hold decision-making power over data processing operations related to the Android operating system and associated services, particularly concerning account creation during mobile phone setup. Consequently, the “one-stop-shop mechanism” was deemed inapplicable, granting the CNIL the jurisdiction to address Google LLC’s processing activities directly, alongside other DPAs. This interpretation aligned with the European Data Protection Board’s (EDPB) guidelines, solidifying CNIL’s authority in this specific case. To further investigate the complaints, CNIL conducted online inspections in September 2018. These inspections aimed to assess Google’s compliance with both the French Data Protection Act and the GDPR. The focus was on analyzing a user’s browsing behavior and accessible documents when creating a Google account during the setup of an Android mobile device.
The CNIL’s restricted committee, tasked with examining data protection breaches, identified two principal violations of the GDPR based on these inspections. These violations pertained to transparency and the legal basis for data processing, both critical components of GDPR compliance.
Lack of Transparency and Information
The first key violation identified by the CNIL was Google’s failure to provide easily accessible information to users regarding their data processing practices. The committee found that the structure of information presented by Google was not conducive to GDPR compliance. Essential details, such as the purposes of data processing, data retention periods, and categories of personal data used for ad personalization, were scattered across numerous documents. Users were required to navigate through multiple layers of buttons and links, sometimes involving five or six steps, to access complete information. For instance, obtaining comprehensive details about data collected for ad personalization or geo-tracking services was an unnecessarily complex process.
Furthermore, the CNIL determined that some information provided was neither clear nor comprehensive. Users were not given a sufficient understanding of the extensive nature of Google’s data processing activities. Given the vast array of services offered by Google (approximately twenty), coupled with the volume and sensitivity of the data processed and combined, the committee emphasized the “massive and intrusive” nature of these operations. Specifically, the purposes of data processing were described in overly broad and vague terms, as were the categories of data processed for these purposes. Crucially, the information failed to clearly communicate that user consent, rather than legitimate interest, was the legal basis for ad personalization processing. Finally, the committee noted the absence of retention period information for certain categories of data.
Invalid Legal Basis for Ad Personalization Processing
Google asserted that it obtained user consent to process data for personalized ads. However, the CNIL’s restricted committee concluded that this consent was not validly obtained, citing two primary reasons. Firstly, the committee found that user consent was not sufficiently informed. The information concerning data processing for ad personalization was fragmented across multiple documents, preventing users from fully grasping the scope of these operations. For example, within the “Ads Personalization” section, users were not made adequately aware of the numerous services, websites, and applications involved in these processing activities (including Google Search, YouTube, Google Home, Google Maps, and Play Store), thus obscuring the sheer volume and variety of data processed and combined.
Secondly, the committee determined that the consent obtained was neither “specific” nor “unambiguous.” During account creation, users could access configuration options, including ad personalization settings, by clicking a “More options” button located above the “Create Account” button. However, the display of personalized ads was pre-ticked. The GDPR mandates that unambiguous consent requires a clear affirmative action from the user, such as ticking a non-pre-ticked box. Moreover, users were required to agree to Google’s Terms of Service and the Privacy Policy, providing blanket consent for all processing purposes based on this consent (including ad personalization and speech recognition) when creating an account. The GDPR stipulates that consent must be “specific,” meaning it should be given distinctly for each purpose, which was not the case in Google’s consent mechanism.
The 50 Million Euro Fine and its Significance
As a result of these GDPR infringements, the CNIL’s restricted committee publicly imposed a financial penalty of 50 million euros on Google. At the time of the fine in 2019, this amount was equivalent to roughly 54 million US dollars, highlighting the substantial financial risk associated with GDPR non-compliance for international companies operating within the European Union. This marked the first instance of the CNIL applying the GDPR’s new, higher sanction limits. The magnitude of the fine and its public announcement were deemed necessary due to the severity and ongoing nature of the violations, particularly concerning the fundamental GDPR principles of transparency, information, and consent.
The CNIL emphasized that despite Google’s implemented measures, the observed infringements deprived users of essential safeguards regarding data processing that could reveal significant aspects of their private lives. This was due to the vast amount of data, the wide range of services involved, and the almost limitless potential combinations of data. The committee reiterated that the scale of these processing operations necessitates enabling users to control their data through sufficient information and valid consent mechanisms. Furthermore, the continuous nature of these violations, persisting even at the time of the decision, was a significant factor. Finally, the CNIL considered the dominant position of the Android operating system in the French market, with thousands of French users creating Google accounts daily via their smartphones. The committee also underscored that Google’s economic model is partly reliant on personalized advertising, making GDPR compliance an utmost responsibility.
This 50 million euro fine, equivalent to a substantial dollar amount, served as a clear message to global tech companies about the importance of GDPR compliance. It underscored the financial and reputational risks associated with failing to provide transparent information and secure valid consent from users regarding their personal data. The case remains a significant precedent in GDPR enforcement and highlights the ongoing scrutiny of data privacy practices by regulatory bodies in the digital age.
For further details, you can refer to the original press release from CNIL in English and French. For inquiries, please contact CNIL directly at https://www.cnil.fr/en/contact-cnil.
