On 21 January 2019, the French Data Protection Authority (the “French DPA”) fined Google LLC 50 million euros for breach of the GDPR.
As we reported on this blog, just after GDPR became applicable, noyb.eu (None of Your Business), the non-profit privacy organization set up by Max Schrems, the Austrian lawyer who initiated the action against Facebook that led to the invalidation of the Safe Harbor, and a French organization called “La Quadrature du Net”, filed the first complaints based on GDPR. These complaints targeted major technology companies such as Google, Facebook, Instagram, Whatsapp and Linkedin before various European DPAs. The French DPA is the first one to render a decision against one of these tech giants.
In its decision, the DPA explains that it investigated the Android’s user “click path” from the creation of a Google account to the day-to-day use of the smartphone and found that Google was in breach of two of the GDPR main principles:
- Lack of transparency and inadequate information
Under the GDPR, data controllers must disclose to individuals whose personal data is processed certain information, and that information must be written in a concise, transparent, intelligible and easily accessible way, using clear and plain language.
According to the French DPA, the information provided by Google to its users is not sufficiently clear and plain. The DPA also noted that key information, such as the data processing purposes, the data storage periods or the categories of personal data used for Google ads personalization, is excessively disseminated across several documents (sometimes requiring 5 or 6 clicks by the user before reaching the actual information).
- Lack of valid consent regarding the ads personalization
The GDPR provides that any data processing must be done on the basis of one of the legal basis listed in the GDPR, which includes consent.
This is not the first time a fine is issued for breach of the GDPR, but it is by far the biggest although still far away from the maximum limit which is 4% of the worldwide sales. The French DPA explained that the amount fined and the publicity of the decision are justified by “the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent”.