Skip to content

Farrer & Co | An issue of consent: GDPR and Google's €50m fine

The CNIL, the French equivalent of the Information Commissioner’s Office (ICO) fined Google LLC €50m for a lack of transparency, inadequate information and absence of valid consent regarding advert personalisation and geo-tracking undertaken through Google’s Android mobile operating system.

Whilst the CNIL’s decisions are not binding on the ICO, it provides both an indication and warning of how supervisory authorities may interpret the General Data Protection Regulation (GDPR) and the level of fine a regulator may decide to award in the event of such a breach.

Privacy information

The CNIL’s decision criticised Google for providing privacy information across several documents (using hyperlinks and buttons) rather than including this information in a single document (or privacy notice). Furthermore, the CNIL viewed the privacy information as ‘not always clear or comprehensive’ and stated that ‘users are not able to fully understand the extent of the processing operations carried out’ as the purposes of Google’s processing and the categories of data processed were ‘too vague’.

Consent

In order to personalise adverts to mobile users, Google relied on consent as its legal basis. GDPR consent must be informed, opt-in and specific; however, the CNIL noted that user options to configure adverts included pre-ticked boxes whilst, to create an Android account, users were asked to agree with statements that applied to all of Google’s processing operations such as ‘I agree to Google’s Terms of Service’ and ‘I agree to the processing of my information as described above and further explained in the Privacy Policy’. The CNIL noted that consent can only be specific where it is given for each distinct purpose (eg advert personalisation, speech recognition, etc).

Size of fine

This is the first time the CNIL has imposed the new level of fine and it is, to date, the largest fine issued under GDPR across the EU. The CNIL justified the amount on the basis that the violations were considered severe and continuous breaches of GDPR and that a significant proportion of the French population have Google accounts on the Android system. It was also noted that, as advert personalisation was a significant part of Google’s business, it was important that it complied with the regulations.

What should we learn from this?

Significant fines have historically tended to involve data breaches. This case shows that regulators will consider other breaches of data protection legislation, particularly where it involves the tech giants. However, smaller companies should also be aware of the compliance requirements around transparency and ensure that where they use consent as a legal basis, it meets GDPR requirements. 

If you require further information about anything covered in this briefing note, please contact David Morgan, or your usual contact at the firm on +44 (0)20 3375 7000.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, February 2019

This site uses cookies to help us manage and improve the website and to analyse how visitors use our site. By continuing to use the website, you are agreeing to our use of cookies. For further information about cookies, including about how to change your browser settings to no longer accept cookies, please view our Cookie Policy. Click for more info