French data regulator hits Google with €50m fine over ad personalisation
Office of the Data Protection Commissioner said to lack 'decision-making power' in GDPR case
22 January 2019 | 0
Google has been fined €50 million by French data regulator CNIL in a landmark General Data Protection Regulation (GDPR) ruling.
The case was originally filed on 25 May 2018 – the day GDPR came into effect – by privacy rights groups NOYB (None of Your Business) headed by activist Max Schrems of Europe-v-Facebook.
Notable by its absence is the Office of the Data Protection Commissioner. Under rules governing data ownership and processing, companies in Europe are regulated by the country where their head office is located. In the case of multinationals like Google and Facebook, whose European base is in Ireland, that would require the case to be played out in the Irish courts under a ‘one stop shop’ model.
However, as the case centres on how Android accounts are set up, CNIL ruled that the ODPC had no “decision-making power” in the matter. This puts tech giants at risk across the EU, where individual regulators can identify further points of latitute. It’s also poor optics for the ODPC, which is currently locked in an action taken by Facebook in the Supreme Court over the validity of the US’ Privacy Shield framework.
Google was sanctioned for two types GDPR breaches: using “essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalisation, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information.”
CNIL said such information was accessible “after several steps only, implying sometimes up to five or six actions. For instance, this is the case when a user wants to have a complete information on his or her data collected for the personalisation purposes or for the geo-tracking service.”
The search giant was also criticised for failing to clearly explain how user consent for ad personalisation was gathered and for which services. “The information on processing operations for the ads personalisation is diluted in several documents and does not enable the user to be aware of their extent,” wrote CNIL.
“The user not only has to click on the button ‘More options’ to access the configuration, but the display of the ads personalisation is moreover pre-ticked. However, as provided by the GDPR, consent is ‘unambiguous’ only with a clear affirmative action from the user.
CNIL further criticised Google for engaging in “continuous” GDPR breaches as opposed to a “one-off, time-limited infringement”.
GDPR gives regulators the power to impose fines of up to €20 million or 4% of turnover – whichever is greater.
The biggest fine for a GDPR violation prior to the Google result was €400,000 levied against a hospital in Portugal for failing to regulate doctors’ access to patient records through a government-issued IT system.