France Fines Google $57 Million for Violating GDPR
Client Alert
On January 21, 2019, France’s data privacy agency, the National Data Protection Commission (CNIL) announced that it was issuing a €50 million fine against Google, Inc. for violating the new EU General Data Protection Regulation (GDPR). This is the first major enforcement action under the GDPR and the first enforcement action against a U.S.-based company. This signals a shift to a new phase of GDPR enforcement. Since the GDPR came into effect on May 25, 2018, data protection agencies in EU member states have been flooded with complaints and investigating possible violations and data breaches by companies that fall within the GDPR’s expansive jurisdiction. This enforcement action, which targets deficiencies in how a U.S. company has complied with the GDPR, helps to explain the investigative methods and enforcement calculus of EU data protection agencies.
Specifically, CNIL claims that Google violated the GDPR in the following ways:
- (1) Transparency and Information Disclosure Violations
- Information on how Google users’ data is collected and processed was not easily accessible to users, sometimes requiring a user to click five or six links before arriving at the relevant portion of Google’s privacy policies.
- The information did not clearly communicate the extent of processing operations carried out by Google on users’ data or the lawful bases for certain processing activities.
- The information was not sufficiently comprehensive, and often relied on generic and vague descriptions of the data processing activities. Some information, such as the amount of time that data would be retained, was simply not provided for some data.
- (2) Consent Violations
- Google failed to obtain sufficiently informed consent from its users to process data for the personalization of advertisements.
- The “consent” check-box for ad personalization was pre-ticked, meaning that users needed to opt-out of this setting.
- Google required users to “bundle” their consent by agreeing either to all or none of Google’s data processing activities, instead of requesting specific consent for each set of data operations.
This enforcement action resulted from an investigation by CNIL into how Google obtains consent, discloses information, and then collects and processes data with respect to the creation of a Google account when configuring a mobile phone using Android. Accordingly, CNIL and other regulatory bodies may still have room to investigate and pursue actions against Google for other GDPR violations related to various other Google services and products. We will provide additional updates in the near future regarding CNIL’s Google decision and any other enforcement actions that may implicate GDPR compliance issues for U.S.-based associations.
If you have any questions regarding GDPR compliance, please feel free to contact Oliver Krischik at (202) 342-5266 or okrischik@gkglaw.com.