Menu
ALT Advisory | Public Interest Advisory Services
  • Home
  • Services
    • Advisory
      • Project management // strategy
      • Network development
      • Human rights impact assessments
      • Law reform // advocacy
      • Regulatory compliance // risk
        • > POPIA Compliance
        • > GDPR Compliance
      • Privacy by design
    • Analysis
      • Legal // policy analysis
      • Country trends analysis
      • Regional // international trends analysis
      • Reviews // vetting
      • Treaty body reporting
    • Research
      • Commissioned research reports
      • Comparative legal research // mapping
      • Community engagement // public participation
      • Development of legal instruments
      • Field research // social surveys
    • Training
      • Toolkits // training manuals
      • Constitutional literacy
      • Information security
      • Capacity-building workshops
      • Online platforms // courses
      • Organisational policies
  • Practice Areas
    • Public Law
      • Constitutional law // democratic institutions
      • International law // multi-stakeholder engagement
      • Activism // right to protest
      • Corporate accountability
      • Electoral integrity // right to vote
      • Eliminating trade in harmful technologies
      • Equality // inclusion
      • Labour migration governance
      • Environmental law // climate change
    • Information Rights
      • Internet governance
      • Free expression online
      • Press freedom // protected disclosures
      • Disabling disinformation
      • Online harms reduction
      • Open data // access to knowledge
      • Internet access
      • Digital equity
    • Data Privacy
      • Protection of personal information
      • Responsible data collection
      • Information security // cybercrimes
      • Automated decision-making // profiling
      • Biometrics // facial recognition
      • Responsible data trade
      • Surveillance technologies
    • Emergent Tech // Innovation
      • Algorithmic bias
      • AI // robotics
      • Blockchain // smart contracts
      • Copyright online
      • Smart cities // the Internet of Things
      • Future of work
  • Special Projects
    • ALT AI
    • Data Protection Africa
    • Democracy 2.0
    • Internet in Schools
  • About
    • About
      • About Us
      • Our Work
      • Vision
      • Mission
      • Empowerment
    • People
      • Avani Singh
      • Michael Power
      • Tina Power
      • Tara Davis
      • S’lindile Khumalo
      • Jessie Rashid
      • Kwazi Nwana
      • Dércio Tsandzana
      • Wendy Trott
    • Opportunities
      • Vacancies
      • Internships
      • Collaboration
    • Policies
      • Accessibility
      • Best Practices
      • Non-discrimination
      • Open Source
      • Privacy
  • Connect
Close Menu
Advisory 2020
22 Jan 2019

Google fined 50 million euros for non-compliance with data protection law

Advisory Notes General Data Protection Regulation

On 21 January 2019, the restricted committee of the French data protection authority – Commission Nationale de l’Informatique et des Libertés (CNIL) – imposed a financial penalty of €50 million (euros) against Google LLC for non-compliance with the European Union’s data protection law, the General Data Protection Regulation (GDPR), which came into operation in May 2018. As noted by the CNIL, this was the first time that the CNIL applied the new increased sanction limits provided by the GDPR, which the CNIL considered to be justified in light of the severity of the infringements.

The complaints

In terms of the complaints received, it was contended that Google did not have a valid legal basis to process the personal data of the users of its services, particularly for the personalisation of advertisements (ads personalisation). As part of its investigation, the CNIL carried out online inspections to verify the compliance of the processing operations implemented by Google with the GDPR and the domestic data protection law, including by analysing users’ browsing patterns. On the basis of the inspections carried out, the CNIL observed two types of breaches: (i) a violation of the obligations of transparency and information; and (ii) a violation of the obligation to have a legal basis for ads personalisation processing.

Violation of the obligations of transparency and information

The CNIL noted that the information provided by Google was not easily accessible for users. In this regard, the CNIL observed that essential information – such as the data processing purposes, the data storage periods or the categories of personal data used for ads personalisation – were “excessively disseminated” across several documents, with buttons and links that needed to be clicked to access complementary information; as such, the relevant information was only accessible after several steps. The CNIL observed further that some information was not always clear or comprehensive.

In this regard, the CNIL noted that users were not able to fully understand the extent of the processing operations carried out by Google. However, given the number of services offered, and the amount and nature of the data processed and combined, the processing operations were particularly massive and intrusive. Of particular concern to the CNIL was that the purposes of processing were described too generically and vaguely, as were the categories of data processed for various purposes. Similarly, the CNIL was concerned that it was not clear to users that the legal basis for processing for ads personalisation was consent, and not the legitimate interest of the company.

Lastly, the CNIL noted that information regarding the retention period was not provided for some data.

Violation of the obligation to have a legal basis for ads personalisation processing

According to the CNIL, Google had not obtained valid consent for ads personalisation. First, the CNIL observed that the users’ consent was not sufficiently informed. In this regard, it noted that the information on processing operations for the ads personalisation was diluted in several documents, and did not enable users to be aware of their extent.

Second, the CNIL observed that the collected consent was neither “specific” nor “unambiguous”. In particular, the CNIL noted that when an account was created, the user had to click on the ‘More options’ button to access the configuration, and the display of the ads personalisation was already pre-ticked. This failed to meet the requirements of the GDPR, which provides that consent is only unambiguous with a clear affirmative action from the user (for example, by ticking a box that has not been pre-ticked).

Furthermore, before creating an account, the user was asked to tick the boxes ‘I agree to Google’s Terms of Service’ and ‘I agree to the processing of my information as described above and further explained in the Privacy Policy’ in order to create the account. According to the CNIL, this required the user to consent in full for all processing carried out by Goole based on such consent, which conflicted with the requirement in the GDPR that consent is only specific if it is given distinctly for each purpose.

The penalty imposed by the CNIL

In light of the above, the CNIL imposed a fine of €50 million (euros) against Google. As noted above, this was the first time that the CNIL applied the new increased sanction limits provided by the GDPR. According to the CNIL: “The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.” The CNIL concluded further as follows:

Despite the measures implemented by Google (documentation and configuration tools), the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations. The restricted committee recalls that the extent of these processing operations in question imposes to enable the users to control their data and therefore to sufficiently inform them and allow them to validly consent.

Moreover, the violations are continuous breaches of the [GDPR] as they are still observed to date. It is not a one-off, time-limited, infringement.

Finally, taking into account the important place that the operating system Android has on the French market, thousands of French people create, every day, a Google account when using their smartphone. Furthermore, the restricted committee points out that the economic model of the company is partly based on the ads personalization. Therefore, it is of its utmost responsibility to comply with the obligations on the matter.

The CNIL’s media statement (in English) is accessible here.

The CNIL’s ruling (in French) is accessible here.

Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].

European Commission publishes Draft Artificial Intelligence Ethics Guidelines Political Party Funding Bill signed into law

Related Posts

Advisory 2020

Advisory Notes

UN issues recommendations on artificial intelligence and racial profiling by law enforcement

Advisory 2020

Advisory Notes

International Day for the Elimination of Violence against Women

Advisory 2020

Advisory Notes

South African regulator publishes draft declaration on crypto assets

Latest Advisory Notes

  • Advisory 2020UN issues recommendations on artificial intelligence and racial profiling by law enforcement
    30 Nov 2020
  • Advisory 2020International Day for the Elimination of Violence against Women
    25 Nov 2020
  • Advisory 2020South African regulator publishes draft declaration on crypto assets
    23 Nov 2020
  • Advisory 2020Italian data protection authority fines Vodafone for “aggressive telemarketing practices”
    18 Nov 2020
Back To Top
ALT Advisory | Public Interest Advisory Services
  • Accessibility
  • Ethical Practices
  • Legal
  • Non-discrimination
  • Opportunities
  • Privacy
  • Sitemap

Web development with ❤️ by:

© 2017-2021 Applied Law & Technology (Pty) Ltd (t/a ALT Advisory) is a private company registered in the Republic of South Africa (2017/145368/07). All rights reserved.
If you're still reading this you must be bored. Come and visit us and we'll have a cup of coffee.
Our website uses cookies to improve your experience but we are fully committed to respecting your privacy. ACCEPT COOKIE SETTINGS PRIVACY POLICY
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are as essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Non-Necessary cookies may not be particularly necessary for the website to function and are used specifically to collect data via Google Analytics. None of the data collected constitutes personally identifiable information.

COVID-19: Level 3 Advisory

 

Level 3 status: Our offices are partially open and we’re fully available online.

As a result of the implementation of the Level 3 Regulations on 28 December 2020, our physical offices are partially open for necessary and essential matters and we are fully available remotely. We can be contacted on +2711 268 6881 or at [email protected] for pre-existing and new matters. All necessary office protocols have been implemented. We hope that everyone continues to stay safe during this time and please visit https://sacoronavirus.co.za for more information.