On January 21, 2019, Google was fined nearly $57 million (approximately 50 million euros) by France’s Data Protection Authority, CNIL, for an alleged violation of the General Data Protection Regulation (GDPR).[1] CNIL found Google violated the GDPR based on a lack of transparency, inadequate information, and lack of valid consent regarding ad personalization. This fine is the largest imposed under the GDPR since it went into effect in May 2018 and the first to be imposed on a U.S.-based company.
CNIL began investigating Google’s practices based on complaints received from two GDPR consumer privacy rights organizations alleging Google did not have a valid legal basis to process the personal data of the users of its services, particularly for Google’s personalized advertisement purposes. The first of the complaints was filed on May 25, 2018, the effective date of the GDPR.
Following its investigation, CNIL found the general structure of the information required to be disclosed by Google relating to its processing of users’ information was “excessively disseminated across several documents.” CNIL stated the relevant information pertaining to privacy rights was only available after several steps, which sometimes required up to five or six actions. Moreover, CNIL indicated users were not able to fully understand the extent of the processing operations carried out by Google because the operations were described in a “too generic and vague manner.” Additionally, the regulator determined information regarding the retention period was not provided for some data collected by Google.
Google’s process for obtaining user consent to data collection for advertisement personalization was also alleged to be problematic under the GDPR. CNIL stated Google users’ consent was not considered to be sufficiently informed due to the information on processing operations for advertisement being spread across several documents. The consent obtained by Google was not deemed to be specific to any individual Google service, and CNIL determined it was impossible for the user to be aware of the extent of the data processed and combined.
Finally, CNIL determined the user consent captured by Google was not “specific” or “unambiguous” as these terms are defined by the GDPR. By way of example, CNIL noted that Google’s users were asked to click the boxes «I agree to Google’s Terms of Service» and «I agree to the processing of my information as described above and further explained in the Privacy Policy» in order to create the account. As a result, the user was required to give consent, in full, for all processing operations purposes carried out by Google based on this consent, rather than for distinct purposes, as required under the GDPR. Additionally, the CNIL commented Google’s checkbox used to capture user consent relating to ad personalization was “pre-clicked.” The GDPR requires consent to be “unambiguous,” with clear affirmative action from the user, which according to the CNIL, required clicking an unclicked box.
This fine may be appealed by Google, which indicated it remained committed to meeting the “high standards of transparency and control” expected by its users and to complying with the consent requirements of the GDPR. Google indicated it would study the decision to determine next steps. Given Google is the first U.S.-based company against whom a DPA has attempted GDPR enforcement, in combination with the size of the fine imposed, it will be interesting to watch how Google responds.
The GDPR enforcement action against Google should be seen as a message to all U.S.-based organizations that collect the data of citizens of the European Union. Companies should review their privacy policies, practices, and end-user agreements to ensure they are compliant with the consent requirements of the GDPR.