CNIL fines Google €50 million for GDRP Violation

On the 21st of January, 2019, CNIL, France’s data protection regulator has issued Google a whopping $56.8 million USD. i.e. 50 million Euros. This was with regard to Google failing to comply with its GDPR obligations.

As The Verge says, this is the biggest GDPR fine yet to be issued by a European regulator; and it’s the first time one of the tech giants has been found to fall foul of the tough new regulations; that came into force in May last year.

The Reason behind CNIL issuing a Fine –

CNIL said that the fine was issued because Google failed to provide enough information to users about its data consent policies; Google also didn’t give them enough control over how their information is used. According to the regulator, these violations are yet to have been rectified by the search giant. This means making consent an explicitly opt-in process that’s easy for people to withdraw.

#1 – Lack of Transparency

Firstly, the CNIL concluded that “Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information,” the regulator writes.

For instance, if a user wants to know how their data is processed to personalize ads; it takes 5 or 6 taps. The CNIL finds it too hard to understand how your data is being used; Google’s wording is broad and obscure on purpose.

More Insight –

No more Gender Bias – Google Translate

Google forays apps for user Privacy!

#2 – Consent Flow

Google’s consent flow doesn’t comply with the GDPR according to the CNIL. By default, Google really pushes you to sign in or sign up to a Google account. The company tells you that your experience will be worse if you don’t have a Google account. According to the CNIL, Google should separate the action of creating an account; from the action of setting up a device; consent bundling is illegal under the GDPR.

If you choose to sign up to an account, when the company asks you to tick or untick some settings, Google doesn’t explain what it means. For instance, when Google asks you if you want personalized ads, the company doesn’t tell you that it is talking about many different services; from YouTube to Google Maps and Google Photos; this isn’t just about your Android phone.

#3 – Unambiguous Consent

Google doesn’t ask for specific and unambiguous consent when you create an account; the option to opt out of personalized ads is hidden behind a “More options” link. That option is pre-ticked by default (it shouldn’t).

#4 – Terms

Google ticks a box that says “I agree to the processing of my information as described above; and further explained in the Privacy Policy” when you create your account. GDPR also forbids broad consent like this.


The non-profit organisations –

Two nonprofit organizations called ‘None Of Your Business’ (noyb) and La Quadrature du Net had originally filed a complaint back in May 2018; noyb originally filed a complaint against Google and Facebook, so let’s see what happens to Facebook next. The local data protection watchdogs would transfer the data.

Chairman of noyb Max Schrems has sent us the following statement:

“We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR; to punish clear violations of the law. Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’; and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be complaint is not enough. We are also pleased that our work to protect fundamental rights is bearing fruit. I would also like to thank our supporters who make our work possible.”

Update: A Google spokesperson has sent us the following statement:

“People expect high standards of transparency and control from us. We’re studying the decision to determine our next steps.”

The CNIL filing –

On 21 January 2019, the CNIL’s restricted committee imposed a financial penalty of 50 Million euros against the company GOOGLE LLC; in accordance with the General Data Protection Regulation (GDPR); for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.

On 25 and 28 May 2018, the National Data Protection Commission (CNIL) received group complaints from the associations None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”). 1000 people mandated LQDN to refer the matter to the CNIL. In the two complaints, the associations reproach GOOGLE for not having a valid legal basis; to process the personal data of the users of its services; particularly for ads personalization purposes.

Also, consumer groups accused Google of GDR privacy violations, across seven European countries; over what they claim are “deceptive practices” around its location tracking.

Leave a comment

Your email address will not be published. Required fields are marked *

Navaneetha Suresh

Navaneetha Suresh

Navaneetha, commonly known as "nav", loves to read, play badminton, play the keyboard and sing but when she's not doing any of those, she loves to write. What started as a high school hobby to write is now her ongoing passion.

Ask us,
learn more

Share your Feedback/Query with us and our team will get in touch with you within 2 business Days.

tell us a bit more.