The fine of 50 million euros that Google was imposed last year by the French privacy regulator CNIL for violating the GDPR must simply pay the tech company. The French Council of State determined this in an appeal that was brought by Google.
According to CNIL, the internet giant is failing to provide information about the processing and storage of data for targeted advertisements, as well as obtaining valid consent. “Essential information, such as the purpose of the data processing, the data retention period and the types of personal data used for personalized advertisements, are excessively spread over several documents, with buttons and links to be clicked for additional information. The relevant information is accessible only after several steps, sometimes requiring five to six actions, “said the regulator.
In addition, Google makes the mistake of stating that it has a legal basis for processing data for personalized ads. “Google claims that it obtains users’ consent to process data for personalized ads. However, this consent is not valid for two reasons,” said the French privacy regulator. The first reason is that users are not sufficiently informed by Google. The information about the data processing is spread over several documents and ensures that the user is not able to realize the scope of the data processing. Furthermore, the collected consent is neither “specific” nor “unambiguous,” says CNIL.
When an account is created, the user can adjust various options about the account, but it is not possible to set the display of personalized ads in the first screen. In addition, the display of personalized ads is selected by default in the more extensive options. Furthermore, when creating an account, a user must give his consent to all data processing by Google, which is not specific and is therefore in violation of the GDPR, according to CNIL.
It was the first time that the French privacy regulator used the new GDPR power to impose fines. The amount of the amount was justified, according to CNIL, by the seriousness of the violation regarding the essential principles of the GDPR, namely transparency, information and consent.
Google subsequently appealed the fine, but is short-lived. According to the Council of State, Google falls short in the provision of information to users, so that the consent of users is not validly obtained. The court also announced that the French regulator Google was allowed to impose a fine in this case and that this was not reserved to the Irish privacy regulator. Google’s European headquarters are located in Ireland.
The GDPR is introducing a so-called “one-stop shop”, in which the privacy supervisor of the country where a company has its headquarters is leading. The French Council of State states that at the time of the fine, Google’s Irish subsidiary had no power over the other European subsidiaries or the decision-making power for data processing. In response to the ruling, CNIL said that the one-stop shop in the case was not applicable. The underlying decisions were not made by Google Ireland, but by Google in the United States.
The court further states that the amount of the fine is proportional in view of the seriousness of the violations. The fine for Google is so far the highest distributed in Europe under the GDPR. However, the amount is out of proportion to Alphabet’s revenue, which passed $ 161 billion last year.