General Data Protection Regulation (GDPR) , Governance & Risk Management , Privacy

French Court Upholds $56 Million Google GDPR Fine

Largest Penalty Levied So Far Under EU's Privacy Regulation
French Court Upholds $56 Million Google GDPR Fine

France's top court has upheld a €50 million ($56 million) fine against Google for violating the EU's General Data Protection Regulation with its advertising personalization model that lacked adequate user consent measures, according to CNIL, France's regulatory authority. The fine is the biggest yet for a GDPR privacy policy violation.

See Also: Restructuring Your Third-Party Risk Management Program

Google had appealed the fine that was announced in January 2019 by the Commission nationale de l'informatique et des libertés, or CNIL. In January 2019, the commission found Google lacked transparency and clarity in the way it informs users about its handling of personal data and failed to properly obtain their consent for personalized ads.

The court in its ruling Friday noted that that the information available to consumers is sometimes incomplete, "in particular regarding the data retention period and the purposes of the various processing operations carried out by Google," Reuters reported.

Google tells Information Security Media Group it will review changes the company needs to make in response to the ruling.

"People expect to understand and control how their data is used, and we've invested in industry-leading tools that help them do both," a Google spokesperson says. "This case was not about whether consent is needed for personalized advertising, but about how exactly it should be obtained. In light of this decision, we will now review what changes we need to make."

GDPR Violations

The CNIL noted when it announced the fine that when someone created an account with Google, the company did not make clear what data it was collecting - as is required under GDPR - nor was it easy to find this information during the sign up process. User consent for data usage was collected via a pre-checked box, which is not allowed under GDPR.

Google's practices were placed in the spotlight after the CNIL followed up on complaints filed by two privacy-focused advocacy groups: None of Your Business and La Quadrature du Net.

GDPR empowers EU data protection authorities to impose fines of up to €20 million ($23 million) or 4% of an organization's annual global revenue - whichever is greater.

CNIL Guidelines

France's highest court, the Council of State, has essentially validated the CNIL's July 4, 2019 guidelines relating to the use of cookies and tracers under GDPR. The guidelines say user should be able to:

  • Refuse to give consent as easily as they give consent;
  • Withdraw their consent as easily as they gave it;
  • Provide consent for each purpose for which data is used;
  • Be informed of the identity of the data controllers who set cookies. The list containing the identity of the data controllers must be made available when consent is obtained and must be updated regularly;

In addition, data controllers must be able to demonstrate to the CNIL that they have obtained valid consent.

The court, however, did slap down the CNIL on one item.

"The Council of State annulled the provision of the guidelines prohibiting in a general and absolute manner the practice of the 'cookie walls' by judging that such a prohibition could not appear in an act of flexible law. The CNIL takes note of this decision and will adjust its guidelines and its future recommendation accordingly to comply with it," the CNIL says in a statement.

A "cookie wall" refers to a requirement demanding a website visitor accept the placement of a cookie on their device in order to gain access to a website.


About the Author

Doug Olenick

Doug Olenick

News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to joining ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.eu, you agree to our use of cookies.