• Startups
  • June 17, 2020

GDPR’s First High Profile Victim - Google Fined 50 Million Euros

On 21 January 2019 the French data protection regulator CNIL imposed a financial penalty of 50 Million euros against Google LLC under the GDPR legislation. This is the first case involving a significant fine against a well-known company and provides some poignant lessons for other businesses in their efforts to remain fully GDPR compliant. 

Reasons for the CNIL decision

 The reasons behind the decision were, according to the official CNIL website, the “lack of transparency, inadequate information and lack of valid consent in relation to the ads personalisation”, and it highlights how important it is to have easily accessible, clear, non-ambiguous and comprehensive privacy notices available to users (including language on types of data, legal basis, retention periods, etc.) as well as the right consent mechanisms for each specific purpose of processing without pre-ticked boxes. We, not long ago, covered the advertising dos and don'ts as part of our Cyber Week series so that our client network were in the best position to make the most of this lucrative trading period without failing in their GDPR compliance. It is a stark reminder to all that even the most well-resourced brands can get it wrong. If you’re not absolutely clear on your GDPR compliance you may like to make use of our handy quick and easy to use GDPR Checklist tool.

Background to the case

 The case started with two group complaints received by CNIL, and there is no doubt that there are many cases at the moment being investigated by various European Data Protection Authorities, including the Information Commissioner’s Office (ICO) in the UK. The GDPR establishes a “one-stop-shop” mechanism where a data controller typically deals with the data protection authority in the country where its main establishment is based and this is the “lead authority” that would coordinate any cooperation of other data protection authorities in relation to decisions concerning cross-border processing. It appears that CNIL discussed with other data protection authorities within the EU, including the Irish data protection authority where Google European headquarters are based, and it was decided that the “one-stop-shop” mechanism was not applicable, specifically in the context of the operating system Android and the set up of Google accounts on mobile devices, so CNIL had the authority to investigate the complaints and take appropriate action against Google. Following the investigation, including online inspections, the following violations of the GDPR and the French Data Protection Act were observed by CNIL: 

"A violation of the obligation of transparency and information"

CNIL held that the information provided by Google was not easily accessible to its users. Essential information, such as the purposes of data processing, data storage periods and categories of personal data used for ad personalisation were “excessively disseminated” across several documents. The relevant information was only accessible after a number of steps, sometimes as many as 5 or 6 (such as geo-tracking service). In addition, some information was seen to be “not always clear nor comprehensive”. CNIL stated that users would not be able to fully understand the extent of the processing operations, bearing in mind that such processing is seen as “particularly massive and intrusive” due to the number of services offered, around 20, the amount and the nature of the data processed and combined. The purposes, legal basis for processing, as well as the categories of data processed stated in the documents were considered to be too generic and vague and the retention periods information was not sufficient.      

"A violation of the obligation to have a legal basis for ad personalisation processing"

According to CNIL, Google stated that it obtained the user’s consent for ad personalisation purposes, however, the committee considered that the consent was not validly obtained. The information on processing for the ads personalisation was mentioned in several documents which did not help with the users being able to understand such information, therefore “the users’ consent is not sufficiently informed.” Secondly, the collected consent was deemed “neither “specific” nor “unambiguous”. Even though users were able to modify some options at the point of creating their account, the GDPR was not “respected” as the ads personalisation configurations were pre-ticked. The GDPR, however, states that consent is “unambiguous” when a clear affirmative action by the user is taken by ticking a non-pre-ticked box or similar. Finally, before creating an account, the user is asked to tick the box “I agree to Google’s Terms of Service” and “I agree to the processing of my information as described above and further explained in the Privacy Policy” at the point of creating an account. Therefore, the consent given is for all the processing operations carried out by Google (ads personalisation, speech recognition and others) whereas the GDPR provides that consent is only “specific” when given separately for each purpose. The amount of fine was said to be justified due to the “severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.” It seems that Google intend to appeal the fine and this too will give us all vital pointers on what the GDPR will mean to businesses in 2019. 

Journey further

 The author of this article is expert LawBrief Alla Fairbrother. For further business legal advice, please enter an enquiry or call us today on 020 7148 1066 to speak to a member of our friendly Client Care Team.  Data Protection - What have we learned from 2018 Amazon Hit With Data Breach GDPR and Digital Marketing GDPR Checklist GDPR Products and Services

In closing

Nothing in this article constitutes legal advice on which you should rely. The article is provided for general information purposes only. Professional legal advice should always be sought before taking any action relating to or relying on the content of this article. Our Platform Terms of Use apply to this article.

Related Articles

Read more of our latest blog posts, featuring all the latest legal news, analysis and opinion from our expert lawyers.

blog image
  • By LawBite Team
  • May 01, 2022
What are Articles of Association?

Setting up a limited company is one of the most common routes entrepreneurs take when they start their business. If you have decided to take this r...

blog image
  • By LawBite Team
  • May 01, 2022
Do I need a privacy policy on my website?

The short answer is yes, all businesses that process personal data must have a detailed privacy policy. In most cases, a privacy policy will sit on...

blog image
  • By LawBite Team
  • April 13, 2022
Understanding Conflict of Interest (COI)

One thing our lawyers consistently emphasise to our clients is the importance of having well-considered and expertly drafted documentation, for exa...


LawBite can help you

LawBite is on a mission to provide business legal advice that is easier to access, clearer to understand and much cheaper. Our on-line legal advice platform can quickly connect you with expert business legal advice. Our friendly, highly qualified business lawyers, solicitors and mediators will give you the guidance and reassurance that comes from customised legal advice for small and medium sized business.

Whether you are bringing or defending a legal claim, outsourcing work, want a business contract review to ward off disagreements, talk to an expert trademark lawyer, resolve a contractual dispute with methods like mediation and arbitration, or getting your new company set up and on the right footing with a robust shareholder agreement and GDPR standards, we can help you succeed.

defend a claim

Talk to a Lawyer

Book a Call
defend a claim

Essentials Plan

Join for Free