On January 21, 2019, the National Data Protection Commission (CNIL) of France fined Google LLC for 50 million euros for violating the requirements of the GDPR. This is the largest penalty imposed on the GDPR since its entry into force on May 25, 2018 so far.
The French regulator received complaints from the organizations “None Of Your Business” and “La Quadrature du Net”, which argued that Google LLC has no legal basis for processing personal data of its users, in particular, for the purpose of personalizing ads.
Having studied the process of registering users when creating an account with Google using mobile devices on the Android platform, gaining access to documents for giving an informed consent to the processing of personal data, the CNIL came to the following conclusions:
- The principle of transparency in the processing personal data was not respected; there was no clear and accessible form of consent to the processing of personal data.
- Consent was not sufficiently informed, specific and unambiguous.
Information on the purposes of personal data processing, their storage period and the categories of personal data processed war located in different documents and connected by cross-references. It was necessary for the user to perform 5-6 actions on average and to constantly move from one document to another to obtain the necessary information.
Moreover, in many documents, the processing goals and the categories of personal data processed were indicated by general, vague descriptions, and the storage period was not specified at all.
By agreeing to the processing of personal data in the service of personalized ads, the user did not understand how many services, websites and applications would actually process his personal data (Google search, YouTube, Google home, Google maps, Playstore, Google pictures, etc.).
Moreover, the editing of advertising settings was possible only after the user was registered, by unchecking the consent check boxes that were already set by the service itself. Initially, the user can only give general and complete consent to the processing of all his personal data by all services, which violates the basic provisions of the GDPR.
Given the position of Google in the market and the company’s impressive revenue from ads personalization, the seriousness and duration of the offenses, the CNIL imposed a fine of 50 million euros.
Thus, the main reason for the imposition of such a large fine was the failure to comply with the requirements of the GDPR regarding the consent form for the processing of personal data and the way this consent was received.
If the activity of Russian companies is related to the processing of personal data of European users, they also fall under the GDPR and should take into account the strict approach to the GDPR application and the conclusions made by the French regulator in this matter.