It is the French regulator Commission Nationale de l’informatique et des libertés (CNIL) that has imposed a fine of €50 million on Google LLC (Google) for breach of the GDPR. According to the CNIL, Google is violating two of the main provisions of the GDPR in connection with the personalised advertising that it displays to its users.

Two complaints, one investigation

Two complaints, which the CNIL already received on 25 and 28 May 2018 (not coincidentally shortly after the entry into force of the GDPR), led to the launch of an investigation into Google’s advertising activities by the French government agency.

The complaints were submitted by the organisations None Of Your Business (NOYB) and La Quadrature du Net (LQDN). The latter filed a group complaint on behalf of 10,000 people involved.

In both complaints, Google is accused of not having a valid legal basis to process the personal data of its users for displaying personalised advertising.

Infringements in connection with personalised advertising

The infringements determined by the CNIL are twofold. In the first place, the CNIL considers that the information Google provides about personalised advertising to its users to be insufficiently transparent and clear. Important information on the processing of personal data is spread over too many different web pages. The fact that users have to plough through many different buttons and links to unearth the relevant information, also makes it insufficiently accessible for users.

The CNIL also confirms the complaints of the above organisations. Google relies on the consent of its users to carry out its advertising activities, but this consent has not been legally obtained.

Not informed. It is unclear to the users which of their activities involving use of services, websites and applications are analysed and used in the personalisation of advertising. Consider your use of Google Search, YouTube, Google Maps, Google Play, Gmail, etc.

Nonspecific. The consent of the users is collected through the mandatory acceptance of the general terms and conditions and a comprehensive privacy statement. Google invariably uses an all-or-nothing principle in which it does not sufficiently distinguish between the different purposes for which the personal data is collected and used.

Not unambiguous and active. Although users can refuse personalised advertisements and manage their preference settings themselves, it is not clear to the user where and how he can do this. In addition, Google makes improper use of the ‘opt-out’ principle by ticking all options by default and beforehand. One of the key points of the GDPR is that permission requires an active action (‘opt-in’) from the data subject to be legally valid. If the data subject does not take action, then in principle, no permission can follow.

Fine of 50 million euros

The CNIL has imposed a fine of 50 million euros on Google based on its infringements of the GDPR. That sounds like a lot, but it could have been a much higher sum for Google. The GDPR makes it possible to punish serious or repeated violations with a maximum fine that is equivalent to 4 percent of a company’s annual turnover.

Considering that the revenue figures of Alphabet (the parent company of Google) for 2017 were estimated at 94.79 billion euros, this means that in the event of further breaches of the GDPR Google may expose itself to fines of up to 3.79 billion euros.

Whether or not Google will lose any sleep over this is questionable, however. In any case, the company has already indicated that it wishes to meet the high transparency and control standards of the GDPR and that it is evaluating the CNIL’s decision in order to take the necessary steps to remedy these breaches.

Do you have questions…

Are you curious about what Google knows or wants to know about you? Through this link you can find out what information and online activity Google uses to personalise your advertisements.

If you, as a company, have questions or need support regarding privacy or IT, feel free to contact our Privacy and IT experts.