Google fined €50 million under GDPR

Google has been fined €50 million by the French data protection authority.

The landmark case is the first large fine issued by a data protection authority under the General Data Protection Regulation (GDPR).

Google was fined €50 million by the French data protection authority (CNIL) because the company failed to comply with the transparency and information requirements of the GDPR.

The decision was specifically in relation to Google’s Android operating system. The CNIL ruled that the privacy policy for Android was not clear, with users unable to find concise information about the use of their geo-location data and for targeted advertising.

The use of geo-location data was particularly important to the development of this case. The CNIL judged that geo-location data presents a far greater level of risk to individual’s data protection rights. This is because Google would be able to make accurate inferences about someone, which in some circumstances means they were processing special categories of data. For example, if an individual’s device was being used from inside a church every Sunday then their religious belief could be inferred.

This is not the first time that the use of geo-location data has been raised by the CNIL. In a 2018 enforcement action against Vectaury, it ruled that users of an app were not made aware of the fact that the app would collect their location data. The CNIL asked required Vectaury to delete the data that they had illegally collected. Google could have a similar ruling imposed upon them.

Consequences of this nature were not made readily available in the privacy notice and processes were not explained in detail or in terms that users would readily understand.

Furthermore, the legal basis that Google was relying on for the use of the data and for targeted advertising was not clear. The lack of clarity around the legal bases was an aggravating factor in the case.

The use of pre-ticked boxes was criticised by the CNIL, who found that consent to receive targeted advertisements was not on the main sign-up page for Android and was, in fact, pre-ticked. In effect, users were already opted-in to receive targeted marketing. However, GDPR states that consent cannot be implied and explicitly bans the use of pre-ticked boxes as a method for gathering consent.

Google will almost certainly challenge the decision and will likely claim that they had tried to make information readily available to users and will clarify their legal basis for a number of different processes.

The case has bought wider issues into the limelight and importantly the tension between the advertising funded model of the internet and data protection rights. People often expect to use a myriad of online services for free, in most cases exchanging their personal data in return for using a service. If regulation makes this business model unworkable then far more online services will become chargeable. This tension is one that regulators have fundamentally failed to address so far.

The principles raised in both of these cases could be applied to many other organisations involved in digital advertising. They must take heed and aim to improve transparency with their customers and users.

Unfortunately for Google, they may face similar enforcement action from other data protection authorities (DPA) as this case was not carried out under the one-stop-shop mechanism. Although Google does have their European headquarters in Ireland, the CNIL and Irish DPA ruled that Google Ireland did not have responsibility for the Android operating system, which the enforcement case was against. Google may well receive more fines in the coming months.