Posted on 28 January 2019

The French counterpart to our own Information Commissioner, the Commission nationale de l'informatique et des libertés (CNIL), has issued a €50 million fine (£44 million or nearly US$57 million) against Google LLC.

The investigation by CNIL and the resulting fine came about following complaints submitted to CNIL in May 2018 by two data protection pressure groups: None of Your Business (NYOB) led by privacy campaigner Max Schrems, and La Quadrature du Net (LQDN) on behalf of 9,974 individuals.

 These complaints were that:

  • Android mobile users were forced to accept Google’s privacy policy and general terms and conditions in order to use their device (submitted by NYOB); and
  • Google has no lawful basis to process personal data for behaviour analysis and advertising personalisation (submitted by LQDN).

The CNIL found that while Google had made progress in its data protection practices in recent years, it had still failed to comply with the requirements of the GDPR by:

  • not processing personal data in a transparent manner;
  • not providing sufficient or satisfactory information to data subjects regarding its processing activities; and
  • collecting invalid consent to the processing of personal data for advertising personalisation.

Under the GDPR the maximum fine that CNIL could have imposed was 4% of Google’s annual worldwide turnover. Doing so would have left Google with a bill for €3.84 billion (US$4.28 billion or £3.35 billion). On reflection, CNIL’s fine (0.005% of Google’s turnover), while much more significant than any levied under the old data protection rules, could certainly have been worse. As the European Information Commissioners adjust to their new powers and sanctions, perhaps we will see more willingness to impose substantial fines. Of course, it is best to avoid fines altogether!

Mewburn Ellis advises a wide range of international and domestic clients on how to achieve and maintain GDPR compliance.

If you would like to speak to a member of the team please contact  Emma Kennaugh-Gallacher at

Emma Kennaugh-Gallacher

Contact Emma Kennaugh-Gallacher

Emma is a member of our legal services team with experience in IP licensing and assignment and confidentiality agreements. She is a certified Data Protection (GDPR) practitioner. Emma also works with our dispute resolution team providing support for early stage IP litigation for infringement of copyright, trade marks, registered and unregistered design rights and patents.

Related Posts