by Laura Fannin , Ruth Prendeville January-22-2019 in Commercial & Business, Data Protection

France’s data protection regulator (the “CNIL”) has imposed a €50 million fine on Google for failing to comply with EU data privacy laws.  The fine is the highest yet to be imposed on an organisation under the General Data Protection Regulation (“GDPR”), which was enacted on 25 May last year.

The CNIL investigation that resulted in the fine was prompted by complaints lodged against Google by two advocacy groups, one of which was created by privacy campaigner Max Schrems.  The complaints centred on the allegation that Google does not have a valid legal basis to process users’ personal data, particularly for its ad personalisation practices.

In its decision on 21 January 2019, the CNIL found that Google failed to comply with the obligations of transparency and in relation to the provision of information to users.  Specifically, it considered that the essential information that must be made available to users upon collection of their personal data is excessively vague, difficult to access and manage, and does not clearly explain that Google relies on users’ consent as the legal basis to process their personal data for the purpose of personalising ads to them.

The CNIL also found that Google failed to have a legal basis for processing personal data for the purpose of ad personalisation.  It considered that the consent on which Google purports to rely for the activity is not validly obtained because, firstly, users are not sufficiently informed of all the ways in which Google uses and combines their personal data to personalise ads to them, and secondly, the consent is neither specific nor ambiguous.  The CNIL made specific reference to the fact that Google’s settings for ad personalisation are generally pre-ticked, which falls foul of the requirement under GDPR that unambiguous consent requires a clear affirmative action from the user (by ticking a box that is not already pre-ticked, for example).

In its statement responding to the CNIL’s decision, a Google spokesperson said that the company is deeply committed to meeting the high standards of transparency and control that are expected of it, and is studying the decision to determine its next steps.

For further information on this topic, please contact Laura Fannin lfannin@hayes-solicitors.ie or Ruth Prendeville rprendeville@hayes-solicitors.ie at Hayes solicitors.

 

Back to Full News
Share this article:

About the Authors

Laura Fannin
Laura Fannin

Laura is a partner in the Commercial & Business team at Hayes solicitors. Laura advises clients on a diverse range of corporate and commercial matters and regulatory requirements. She is an experienced adviser on terms and conditions of sale and purchase, IT issues, data protection, product liability, advertising and promotions, intellectual property and a wide range of commercial agreements.

Ruth Prendeville
Ruth Prendeville

Ruth is an associate solicitor in the Commercial & Business team at Hayes solicitors. She advises on an array of commercial and regulatory matters, including in the areas of privacy and data protection, intellectual property, terms and conditions of purchase and sale, advertising and promotions and commercial contracts.  Her clients include those from key business industries including media and entertainment, advertising, motor, food, accountancy, manufacturing and business networking.