EUR 50 million GDPR sanction issued against Google for lack of transparency, valid legal basis, and lack of consent


On January 21, 2019, the CNIL (Commission Nationale de l’Informatique et des Libertés, the French Data Protection Authority), restricted committee, for the first time applies the new sanctions limit provided by the GDPR and sanctions Google for EUR 50 million for two GDPR violations:

1. “violation of the obligations of transparency and information

“First, the restricted committee notices that the information provided by GOOGLE is not easily accessible for users. … Moreover, the restricted committee observes that some information is not always clear nor comprehensive. …Finally, the restricted committee notices that the information about the retention period is not provided for some data.”

2.  “violation of the obligation to have a legal basis for ads personalization processing

“… GOOGLE states that it obtains the user’s consent to process data for ads personalization purposes. However, the restricted committee considers that the consent is not validly obtained for two reasons. First, the restricted committee observes that the users’ consent is not sufficiently informed. … Then, the restricted committee observes that the collected consent is neither “specific” nor “unambiguous”. … Finally, before creating an account, the user is asked to tick the boxes « I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy» in order to create the account. Therefore, the user gives his or her consent in full, for all the processing operations purposes carried out by GOOGLE based on this consent (ads personalization, speech recognition, etc.). However, the GDPR provides that the consent is “specific” only if it is given distinctly for each purpose.:

(see “The CNIL’s restricted committee imposes a financial penalty of 50 Million euros against GOOGLE LLC” available here)

The sanction originates from two complaints received on 25 and 28 May 2018 from the associations None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”), which complained, among others, that Google di not have a  valid legal basis to process the personal data of its users, with particular reference to ads personalization purposes. Read here the statement of NOYB.

More information here

Francesca Giannoni-Crystal