On the 21 of January 2019 Google has become the first giant tech company to be hit for the infringing of new General Data Protection Regulation provisions. However, this first relevant disciplinary action is the classic “Tip of the iceberg”.

After eight months of investigations, the French Data Protection Authority (Commission Nationale de l’informatique et des Libertés – CNIL) has imposed a €50 Million fine to Google LLC for lack of transparency, inadequately provided information and invalid consent in relation to ads personalization.

Starting from the day GDPR came into force, CNIL has received two group complaints from the associations None of Your Business (NOYB) and La Quadrature du Net (LQDN). Both aforementioned organisations claimed that Google did not have a solid legal base for processing personal data of its users, in particular for personalized ads purposes. 

It appears important to highlight that, Google European headquarter is based in Ireland. Then, according to the one-stop-shop (OOS) principle, an organisation shall have only one interlocutor: which normally is the Data Protection Authority of the country where company establishment is located. Therefore, we would have expected that Irish Commissioner would have been considered as lead authority sanctioning Google for its infractions. However, in this particular case, it has not been possible to consider that Google had a main establishment in the EU. Then, under these circumstances, the OOS principle was not applicable and CNIL has been considered the competent lead authority to take decisions about the case.

As mentioned before, Google has been fined for violating two obligations: a) obligation of transparency and information, b) obligation of having legal basis for personalized ads data processing.

Violation of the obligation of transparency and information

CNIL has noticed that data information provided by Google was not easily accessible by European data subjects. In fact, relevant information such as: personal data retention period, data processing purposes, categories of personal data also used for ads personalization was dispersive and included across several documents reachable through a series of links and buttons. Then, essential information is accessible after several passages only. Furthermore, data subjects were not able to fully understand the extent of Google processing operations since purposes of processing and legal basis of such processing operations is not clear enough.

Violation of the obligation to have legal basis for ads personalization processing

In such context, CNIL has considered that data subjects’ consent has not been lawfully obtained for two reasons. Firstly, the collected consent was not sufficiently informed. In fact, processing information included within “Ads Personalization” section was disseminated in several documents so that the data subject was not in the position to be aware of the great array of intrusive processing operations. Moreover, the French authority stated that the consent was not “specific” nor “unambiguous”. In the context of ads personalization, the user (only by clicking on “More Options” button) was able to discover that the box for ads personalization was pre-ticked. Moreover, before the creation of Google account, the user is asked to agree to the following text: “I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy”. Then, agreeing with this wide and general text, the user gave the consent for all processing operation purposes carried out by Google. However, this consent cannot be considered as “specific”. In fact, GDPR stated that the consent is specific only in relation to each processing operation purposes.