A Collection is a selection of features, articles, comments and opinions on any given theme or topic. It allows you to stay up‑to‑date with what interests you most.
Login here to access your saved articles and followed authors.
We have sent you an email so you can reset your password.
Sorry, we had a problem.
Tags related to this article
Published 18 June 2019
On 21 January 2019 the data protection regulator in France (Commission Nationale de l’Informatique et des libertés, known as the “CNIL”) imposed the first large GDPR fine: a record breaking 50 million euros (approximately £44 million) against Google LLC. This caused headlines not only because of its size, but also because of the breaches in the spotlight.
The actions arose out of complaints initiated by privacy interest groups “None Of Your Business” and “La Quadrature du Net”.
The CNIL found that Google had not been transparent with Android users about how it collected and used personal data. Its fair processing notice was not accessible, it displayed information spread across many applications and webpages, it did not contain all required elements, and the general form and structure was non-compliant. This meant that users could not understand how personal data would be processed by Google or what the consequences of processing might be.
The CNIL drew particular attention to the number of Google services collecting personal data on the Android system (approximately 20 including phone, Gmail, YouTube, Google Maps, and Google Analytics cookies on third-party websites) and to the vagueness of the information Google gave regarding how data would be used, citing generic purposes such as to “ensure the safety of products and services”.
Therefore the CNIL found that consent had not been properly obtained because it did not meet the GDPR standard of being “specific” and “unambiguous”. Additionally in view of the fact that Google was in violation of its transparency requirements, the CNIL also found that consent was not “informed”.
The GDPR introduced the concept of the “one stop shop”; a mechanism to allow a single supervisory authority to act as the lead authority on behalf of other EU supervisory authorities and issue fines. Google argued that its European headquarters were in Ireland and therefore the Irish Data Protection Commissioner (rather than the CNIL) should have handled this complaint. However, the CNIL found that Google did not have a main establishment in the EU; its key decision making and processing activities under investigation were not made by the Irish entity. This meant that the “one stop shop” was not engaged and the CNIL, along with any other supervisory authority, could make a decision in respect of Google’s activities. the ICO is said to be considering its possible next steps.
Google has confirmed that it will appeal the CNIL's decision.
This fine demonstrates that supervisory authorities are not afraid of flexing their enforcement and fining powers.
It is also indicative of a new enforcement trend across which is no longer focussed just on security and data breaches, but instead looks at the lawful use of personal data. We expect that a new wave of enforcement activity focussed on transparency and consent infringements will follow the Google fine. We recommend that all organisations review their fair processing notices (including delivery mechanisms) and consent wordings to ensure that meet the high standards set by the GDPR.
London - Walbrook
+44(0)20 7894 6744
William Allison, Graham Ludlam, Francesca Muscutt
Graham Ludlam, Millie Bailey
Michael Peeters, Christopher Air, Charlotte Halford, Jack Gilbert
Hilary Larter, Ceri Fuller, Zoë Wigan
Zoë Wigan, Ceri Fuller, Hilary Larter
Sarah Crowther, William Allison
Graham Ludlam, Francesca Muscutt, William Naylor
William Allison, Declan Finn, George Hammond
Francesca Muscutt, Grace Tebbutt
Graham Ludlam, Leah Barratt
Duncan Greenwood, Mark Cawthorne
Richard Highley, Julian Bubb Humfryes