French Data Protection Authority fines Google €50 million under the GDPR

France’s national data protection authority (CNIL — Commission Nationale de l’informatique et des Libertés) ordered its first sanction under the EU’s General Data Protection Regulation, or as commonly called as the GDPR. In this sanction, the CNIL fined Google a whopping €50 million because of Google’s failure to comply with the GDPR provisions when a user sets up his new Android phone and follows the subsequent process.

Who filed the complaint?

None of Your Business (noyb) and Quadrature du Net are two nonprofit organizations who filed the complained in May 2018. noyb initially filed a complaint against Google as well as Facebook over forced consent.[1] With this ruling, it is being speculated that Facebook might face similar sanctions from the CNIL.

What did the CNIL say?

The CNIL’s ruling can be divided into two parts on the basis of which this decision was given – transparency and consent.

Transparency

According to the CNIL, important information such as the purpose of data processing, data storage duration, categories of personal data, ad personalization, etc. have been widely disseminated across a number of documents which require a user to click on buttons and links to access complementary information. For example, if a user wants to understand how his data is being processed, it takes around 5-6 steps. The CNIL has found that the language is broad and obscure on purpose and it is too hard for a user to understand.

Consent

The CNIL stated that consent flow of Google does not comply with the provisions of GDPR as consent bundling is illegal. It was recommended that Google should separate the process for creating an account from the process of device set up. They found that Google actually pushes a user to an extent to either sign in or sign up, as it notifies (read gives notice) to a user that user experience will be worse if you do not have a Google account.

Along with this, the CNIL also concluded that Google does not ask for an unambiguous and specific consent. Sentences such as

“I agree to the processing of my information as described above and further explained in the Privacy Policy.”

signify broad consent and hence, are invalid under the GDPR.

Google’s Reaction

As per a Google’s spokesperson, users expect a high standard of control and transparency from Google and the company is indeed committed to meet those requirements and maintain them, while at the same time, follow the consent requirements of the GDPR. Their team is examining the decision for taking the next course of actions.

noyb Chairman Max Schrems Statement

He thanked his supported and he was pleased that a data protection authority has fined a large corporation such as Google for clear violations of the provisions of the GDPR. He added that it is important for the authorities to take a clear stand to make sure that merely claiming to be compliant is not enough anymore.


[1] https://techcrunch.com/2018/05/25/facebook-google-face-first-gdpr-complaints-over-forced-consent/

Leave a Reply

Your email address will not be published. Required fields are marked *