The French data protection regulator, the CNIL has issued their first GPDR fine. And it has landed on Google for the sum of €50million, the largest seen yet under GDPR.

The breaches of GDPR were two-fold.

Firstly, a breach of the obligation of transparency. Simply put, in relation to the personalisation of advertisements, CNIL found that essential information on how data is processed, storage periods and the categories of data used for ads personalisation where not easily accessible to users. Rather, the information required to make an informed decision was spread over multiple documents and required multiple actions to build up a full picture. Even then CNIL found that the information is not always clear or comprehensive.

Secondly, CNIL found that Google violates the obligation to have a lawful basis for processing. Google uses consent as its lawful basis for processing, but (in relation to the breach of transparency), CNIL considers that users are not sufficiently informed. Additionally, it was ruled that users’ consent is not sufficiently informed. As CNIL explains:

"The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent. For example, in the section “Ads Personalization”, it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, Youtube, Google home, Google maps, Playstore, Google pictures…) and therefore of the amount of data processed and combined.

Then, the restricted committee observes that the collected consent is neither “specific” nor “unambiguous”.

When an account is created, the user can admittedly modify some options associated to the account by clicking on the button « More options », accessible above the button « Create Account ». It is notably possible to configure the display of personalized ads.

That does not mean that the GDPR is respected. Indeed, the user not only has to click on the button “More options” to access the configuration, but the display of the ads personalization is moreover pre-ticked. However, as provided by the GDPR, consent is “unambiguous” only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance). Finally, before creating an account, the user is asked to tick the boxes « I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy» in order to create the account. Therefore, the user gives his or her consent in full, for all the processing operations purposes carried out by GOOGLE based on this consent (ads personalization, speech recognition, etc.). However, the GDPR provides that the consent is “specific” only if it is given distinctly for each purpose."

The fine, above the oft-cited €20million and into the "up to 4% of turnover" territory. Why so large?

Partly the scale of the infringement with thousands of new users each day in France alone using Google services on their phone. Partly the infringements are on-going infringements of the basis principles of GDPR (transparency of information and use of consent). Partly the huge amount of data involved across a wide variety of Google services. And partly because this is how Google makes its money - therefore it carries a responsibility to comply.