The National Data Protection Commission (CNIL) of France sanctioned the US technological giant Google with the record fine of 50 million euro. The regulatory body announced on its webpage that the huge fine is due to breaches of the General Data Protection Regulation (GDPR). The case can be viewed from different angles and this article will summarise some of them.
Going back to where it all began, we reach 25 and 28 May 2018. Then two French associations – La Quadrature du Net (LQDN) and None Of Your Business (NOYB) submitted group complaints to CNIL. Their claim was that Google did not have valid legal basis to process the personal data of its services users, particularly for ads personalization purposes.
CNIL started investigation early in June 2018 through its restricted committee responsible for examining breaches of the Data Protection Act. Their conclusion was that Google disregarded GDPR’s rules in two ways. First, the company violated its obligations of transparency and adequate information. And second, it failed to have a legal basis for ads personalization processing.
In other words, CNIL’s committee decided that Google did not provide its users neither with a full and clear picture of the data they collect, nor with simple, specific tools for users to consent to having their personal information harnessed.
One of the possible reasons for the extremely costly fine might be the prolonged nature of the breaches. As highlighted in CNIL’s announcement:
“The violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.”
Interesting conclusion can be made on the ground that CNIL started investigating Google because of the collective efforts of thousands of people. Only LQDN’s complaint was supported by 10,000 persons. This phenomenon should not be undermined. It might be a strong signal that civil society can act as “organic” regulator, parallel with the official bodies.
Another potential consequence of the record fine is a step towards a similar, overarching federal consumer privacy law in the US. According to the Washington Post, right after CNIL’s announcement, US consumer advocates have strongly encouraged Washington to follow Europe’s example.
Whether French citizens will change their tech preferences due to the Google case is still unknown. However, it should be noted that currently Google holds the dominant market position in France via Android. This is also one of the reasons the fine to be so impressive. As stated by CNIL: “thousands of French people create, every day, a GOOGLE account when using their smartphone”.
So far Google has not said much on the French regulator’s decision. The company has already contested it, saying it should apply only to its European sites, such as Google.fr, and not the global Google.com domain.
“People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR”, a Google spokesperson said.
We finish this article with a comment, made by Maria Krumova, Senior Legal Advisor at AMATAS:
“The 50 million euro fine, imposed by the French data regulatory agency CNIL to the American giant Google, raises an interesting and relevant topic – that of consent validity as grounds for processing personal data.
Practice so far shows that personal data administrators rely heavily on consent, even where alternatives are available. However, CNIL’s decision proves that the high standards of transparency and control, implied by GDPR, are seriously guaranteed, especially in cases where data is processed in the virtual realm. It is time for those who process personal data to understand that relying on consent as legal base, should be in line with the new European legal framework’s logic – providing concrete, transparent and easily accessed information.
CNIL’s decision makes clear indication towards administrators that the new GDPR rules should not be followed formally, especially when they rely on not so certain and permanent grounds as persons’ consent.”