On 21st January 2019, France’s data protection regulator, CNIL fined Google 50 million euros (AUD $80 million) for breaches of the European Union’s General Data Protection Regulation (GDPR).
Complaints were made against Google by two associations in May 2018, claiming that Google did not have sufficient legal justification to process personal data from users - specifically in features such as ad personalisation. CNIL commenced an investigation in September 2018, to determine whether Google had complied with Data Protection Act and the GDPR.
Google was in breach. The CNIL found two main infringements:
CNIL found that Google did not provide sufficient information to users regarding how their data was to be processed, how long it was to be retained, or how it would be used in features such as ad personalisation. Information provided by Google regarding data usage was scattered and required multiple successive clicks to access, and in some instances 5 to 6 clicks. Furthermore, information provided by Google was not clear or comprehensive, and found to be generic. It contravened transparency obligations under Articles 12 and 13 of the GDPR. Moreover, the information was not clear regarding the intent for processing users’ data.
- Legal Basis to Obtain Data
Google was found to have not collected sufficient consent from its users prior to collecting and processing data, particularly for ad personalisation. Firstly, users were not sufficiently informed regarding the range of the services, websites and other features involved in processing user’s data. The services utilising this data included Google search, You Tube, Google Maps and several others.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.