Skip to content

An issue of consent: GDPR and Google's €50m fine

Insight

The CNIL, the French equivalent of the Information Commissioner’s Office (ICO) fined Google LLC €50m for a lack of transparency, inadequate information and absence of valid consent regarding advert personalisation and geo-tracking undertaken through Google’s Android mobile operating system.

Whilst the CNIL’s decisions are not binding on the ICO, it provides both an indication and warning of how supervisory authorities may interpret the General Data Protection Regulation (GDPR) and the level of fine a regulator may decide to award in the event of such a breach.

Privacy information

The CNIL’s decision criticised Google for providing privacy information across several documents (using hyperlinks and buttons) rather than including this information in a single document (or privacy notice). Furthermore, the CNIL viewed the privacy information as ‘not always clear or comprehensive’ and stated that ‘users are not able to fully understand the extent of the processing operations carried out’ as the purposes of Google’s processing and the categories of data processed were ‘too vague’.

Consent

In order to personalise adverts to mobile users, Google relied on consent as its legal basis. GDPR consent must be informed, opt-in and specific; however, the CNIL noted that user options to configure adverts included pre-ticked boxes whilst, to create an Android account, users were asked to agree with statements that applied to all of Google’s processing operations such as ‘I agree to Google’s Terms of Service’ and ‘I agree to the processing of my information as described above and further explained in the Privacy Policy’. The CNIL noted that consent can only be specific where it is given for each distinct purpose (eg advert personalisation, speech recognition, etc).

Size of fine

This is the first time the CNIL has imposed the new level of fine and it is, to date, the largest fine issued under GDPR across the EU. The CNIL justified the amount on the basis that the violations were considered severe and continuous breaches of GDPR and that a significant proportion of the French population have Google accounts on the Android system. It was also noted that, as advert personalisation was a significant part of Google’s business, it was important that it complied with the regulations.

What should we learn from this?

Significant fines have historically tended to involve data breaches. This case shows that regulators will consider other breaches of data protection legislation, particularly where it involves the tech giants. However, smaller companies should also be aware of the compliance requirements around transparency and ensure that where they use consent as a legal basis, it meets GDPR requirements. 

If you require further information about anything covered in this briefing note, please contact David Morgan, or your usual contact at the firm on +44 (0)20 3375 7000.

This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.

© Farrer & Co LLP, February 2019

Want to know more?

Contact us

About the authors

David Morgan lawyer photo

David Morgan

Associate

David provides clear, practical advice on commercial matters in the areas of data protection, intellectual property and contracts. He works with private and public sector clients across a variety of industries including technology, media, sport, financial services, culture and not-for-profit.

David provides clear, practical advice on commercial matters in the areas of data protection, intellectual property and contracts. He works with private and public sector clients across a variety of industries including technology, media, sport, financial services, culture and not-for-profit.

Email David +44 (0)20 3375 7166

More by the authors

Further reading

Related sectors & services

Continue to next section
Back to top