In the biggest fine since the introduction of the GDPR, the French data protection regulator Commission nationale de l’informatique et des libertés (CNIL) announced on its official page a fine of €50m on Google for breach of EU data protection and privacy law.
CNIL, an independent national data protection watchdog/regulator is responsible for ensuring adherence to privacy and data protection law in France. CNIL received complaints from two groups against Google: None Of Your Business (NOYB); and La Quadrature du Net(LQDN), both established to ensure compliance with European privacy laws and to campaign for data subject rights.
CNIL’s committee responsible for investigating these complaints made against Google, found that Google had committed a number of breaches. The GDPR states that data subjects should easily be able to obtain detail about how their personal data is being processed. CNIL’s committee attest that “information provided by Google was not easily accessible for users”. CNIL noted a particular example, that if a data subject wanted to know how their data was used for geo-tracking, the data subject would have to undertake a number of steps to obtain this information and that this “can take up to 5 or 6 actions”.
Linked to this is the inability of a data subject to ascertain the scope Google’s processing of persona data. This is largely due to the lack of specific words that a data subject can understand, as the terms used were in reality too broad and imprecise, and therefore fall foul of the GDPR.
The committee also found that data subject consent was not properly obtained for the purposes of ads personalisation as the processing information is displayed in too many places and it is not always a straightforward process to retrieve.
Finally, some of Google’s user consent “tick-boxes” were always pre-ticked when creating an account, which CNIL declared is not compliant with the GDPR which requires “unambiguous” and “specific” consent of data subjects.
CNIL state that the public fine imposed on Google is to signify the extent and severity of the breaches. However, CNIL notes that these breaches continue, and therefore the regulator hopes that by extracting and proving these breaches of the GDPR, data subjects are better informed about their rights.