Google in France was fined € 50 million in GDPR for misuse of personal data

On January 21, 2019, the National Information Technology and Human Rights Commission (CNIL) of France fined Google € 50 million for “lack of transparency, poor information and lack of effective consent” in processing and using personal data of users to display personalized ads to them.

The imposition of a large fine was the result of an investigation. It all started with the fact that on 25 and 28 May 2018, CNIL received collective complaints from human rights associations None Of Your Business (NOYB) and La Quadrature du Net (LQDN), representing more than 10,000 people. These two complaints were accused by Google of the lack of a proper legal framework for processing users ’personal data, including advertising personalization.

On June 1, 2018, in accordance with the European cooperation provisions established by the GDPR, CNIL sent two complaints to its European colleagues to confirm that it has competence to consider them. The fact is that in the European Union there is a “one window” mechanism. First you need to determine in which country the defendant’s main institution is located. Accordingly, the EU legal body from this country will become the “leading” body in the consideration of this case. Prior to making a decision, the initiator of the process should coordinate with other national data protection authorities.

Google's European headquarters is in Ireland. However, in this case, at the time of consideration, it turned out that the Irish representative office did not have the authority to decide on the procedures carried out under the Android operating system and the services provided by Google LLC in connection with the creation of a user account when setting up a mobile phone.

Since the “one-stop-shop” system was not applicable, the French CNIL commission was given the authority to make decisions regarding Google LLC. She did this by applying the new European Data Protection Regulation (GDPR) .

According to the GDPR , the amount of the fine for the company is determined in proportion to the crime committed. A typical EU practice in the case of repeated violations on the same issue is an increase in the fine. It can quickly increase, so most companies tend to fix the problem quickly. Each interaction with data protection agencies follows the same pattern: warning, fine, increase in fine. The maximum amount of the fine is € 20 million or 4% of the annual turnover for the previous financial year for the company, whichever is greater. The maximum penalty is introduced to ensure that giants like Facebook and Google will not ignore the law, simply by paying the fine and continuing the previous practice. For example, for violation of Russian legislation on the storage of personal data to companies Facebook and Twitter now faces a fine of up to 5,000 rubles .

In order to handle complaints, in September 2018, CNIL conducted an online review. The goal was to verify compliance with the law of GDPR by analyzing user actions and documents that he can access by creating a Google account when setting up his mobile phone for Android.

The audit revealed two rows of GDPR violations.

First violation: failure to comply with obligations to ensure transparency and accountability. The users found it difficult to obtain basic information that the company was obliged to bring to them according to the GDPR, including:

• the purposes for which the data is processed;
• data retention period.

The categories of data used to personalize advertising were scattered across several documents, with separate buttons and links for more information. Thus, the relevant information is available only after several steps, and sometimes requires from the user up to five or six actions. Information about collecting information for personalizing advertising or for geolocation is hidden from people as much as possible. In addition, the information provided is not always clear.

As a result, users are not able to understand the scope of surveillance established by Google, although these methods are “particularly massive and intrusive because of the number of services offered (about 20), the amount and nature of the data processed and combined,” the French agency acknowledged.

Google makes it unclear for users that the explicit consent of a person is necessary for data collection. It seems that Google has the full right to collect personal data, and user consent is not required.

The second violation: non-compliance with the requirement of a legal basis for processing advertising personalization . The Commission acknowledged unsatisfactory information and the lack of valid user consent to data processing for advertising targeting.

Information about the procedures "does not allow the user to realize the scale." For example, in the section "Personalization of ads" does not speak about the set of services, sites, applications involved in data processing (Google search, Youtube, Google Maps, Play Store, Google Photo and so on) and, therefore, about the amount of data processed and combined . The experiment also showed that the obtained consent is not “concrete” and “unequivocal”.

As a result, it was concluded that there is a constant violation of the norms of GDPR. “This is the first time that CNIL applies the maximum penalty provided for by the general data protection regulations,” said a statement to CNIL.