France’s Highest Administrative Court has upheld the decision of the French Data Protection Authority (the CNIL) to impose a €50 million fine on Google under the GDPR for its failure to:
- Provide privacy information in an easily accessible form, using clear and plain language, and
- Obtain users’ valid consent to process their personal data for ad personalisation purposes.
In particular, the CNIL found that essential information about the data processing (such as the purposes, the data retention periods or the types of personal data processed was spread across several pages, and that users sometimes needed to complete up to six actions to obtain that information. In addition, the CNIL said that the description of some information was too vague and did not allow users to understand the extent of the data processing carried out by Google.
The GDPR provides a list of criteria regulators are expected to use in the assessment of whether a fine should be imposed and the amount. In that respect, Google claimed that the CNIL’s decision did not state sufficient reasons because the CNIL did not comment on all of the criteria of Article 83(2) of the GDPR and did not explain how the amount of the fine was calculated. The Court found that the fine was not disproportionate given the:
- Gravity of the alleged infringements
- Fact that they were still occurring at the time of the CNIL’s decision
- Length of time they persisted
- Maximum limits for fines provided by the GDPR and
- Google’s financial strength