Google loses appeal against €50m GDPR fine

Back

France’s Highest Administrative Court has upheld the decision of the French Data Protection Authority (the CNIL) to impose a €50 million fine on Google under the GDPR for its failure to:

  1. Provide privacy information in an easily accessible form, using clear and plain language, and
  2. Obtain users’ valid consent to process their personal data for ad personalisation purposes.

In particular, the CNIL found that essential information about the data processing (such as the purposes, the data retention periods or the types of personal data processed was spread across several pages, and that users sometimes needed to complete up to six actions to obtain that information. In addition, the CNIL said that the description of some information was too vague and did not allow users to understand the extent of the data processing carried out by Google.

The GDPR provides a list of criteria regulators are expected to use in the assessment of whether a fine should be imposed and the amount. In that respect, Google claimed that the CNIL’s decision did not state sufficient reasons because the CNIL did not comment on all of the criteria of Article 83(2) of the GDPR and did not explain how the amount of the fine was calculated. The Court found that the fine was not disproportionate given the:

  • Gravity of the alleged infringements
  • Fact that they were still occurring at the time of the CNIL’s decision
  • Length of time they persisted
  • Maximum limits for fines provided by the GDPR and
  • Google’s financial strength

Insight

This decision illustrates how important it is for organisations to have a privacy policy (notice) that can be easily found and understood by its intended audience.  It also demonstrates that this is something taken very seriously be regulators and the willingness of those regulators to impose large fines against those who transgress the GDPR.

I’m thrilled to have signed off on the CSaaS offering.  I’m looking forward to having the most complete cyber security package for the mid-market and continuing our successful working relationship with norm.

Richard Taylor, CIO
Summit Therapeutics

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO
Perpetuum

The biggest factor was that they had a data protection lawyer in-house who worked for them, which meant there was someone we could directly go to with specific questions about the (GDPR) regulation.

Phil Everitt, Management Information Systems Manager
Leicester Tigers

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group