The CNIL, the French equivalent of the Information Commissioner’s Office (ICO) fined Google LLC €50m for a lack of transparency, inadequate information and absence of valid consent regarding advert personalisation and geo-tracking undertaken through Google’s Android mobile operating system.
Whilst the CNIL’s decisions are not binding on the ICO, it provides both an indication and warning of how supervisory authorities may interpret the General Data Protection Regulation (GDPR) and the level of fine a regulator may decide to award in the event of such a breach.
The CNIL’s decision criticised Google for providing privacy information across several documents (using hyperlinks and buttons) rather than including this information in a single document (or privacy notice). Furthermore, the CNIL viewed the privacy information as ‘not always clear or comprehensive’ and stated that ‘users are not able to fully understand the extent of the processing operations carried out’ as the purposes of Google’s processing and the categories of data processed were ‘too vague’.
Size of fine
This is the first time the CNIL has imposed the new level of fine and it is, to date, the largest fine issued under GDPR across the EU. The CNIL justified the amount on the basis that the violations were considered severe and continuous breaches of GDPR and that a significant proportion of the French population have Google accounts on the Android system. It was also noted that, as advert personalisation was a significant part of Google’s business, it was important that it complied with the regulations.
What should we learn from this?
Significant fines have historically tended to involve data breaches. This case shows that regulators will consider other breaches of data protection legislation, particularly where it involves the tech giants. However, smaller companies should also be aware of the compliance requirements around transparency and ensure that where they use consent as a legal basis, it meets GDPR requirements.
If you require further information about anything covered in this briefing note, please contact David Morgan, or your usual contact at the firm on +44 (0)20 3375 7000.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, February 2019