The French counterpart to our own Information Commissioner, the Commission nationale de l'informatique et des libertés (CNIL), has issued a €50 million fine (£44 million or nearly US$57 million) against Google LLC.
The investigation by CNIL and the resulting fine came about following complaints submitted to CNIL in May 2018 by two data protection pressure groups: None of Your Business (NYOB) led by privacy campaigner Max Schrems, and La Quadrature du Net (LQDN) on behalf of 9,974 individuals.
These complaints were that:
- Google has no lawful basis to process personal data for behaviour analysis and advertising personalisation (submitted by LQDN).
The CNIL found that while Google had made progress in its data protection practices in recent years, it had still failed to comply with the requirements of the GDPR by:
- not processing personal data in a transparent manner;
- not providing sufficient or satisfactory information to data subjects regarding its processing activities; and
- collecting invalid consent to the processing of personal data for advertising personalisation.
Under the GDPR the maximum fine that CNIL could have imposed was 4% of Google’s annual worldwide turnover. Doing so would have left Google with a bill for €3.84 billion (US$4.28 billion or £3.35 billion). On reflection, CNIL’s fine (0.005% of Google’s turnover), while much more significant than any levied under the old data protection rules, could certainly have been worse. As the European Information Commissioners adjust to their new powers and sanctions, perhaps we will see more willingness to impose substantial fines. Of course, it is best to avoid fines altogether!
Mewburn Ellis advises a wide range of international and domestic clients on how to achieve and maintain GDPR compliance.
If you would like to speak to a member of the team please contact Emma Kennaugh-Gallacher at firstname.lastname@example.org