On the 21 of January 2019 Google has become the first giant tech company to be hit for the infringing of new General Data Protection Regulation provisions. However, this first relevant disciplinary action is the classic “Tip of the iceberg”.
After eight months of investigations, the French Data Protection Authority (Commission Nationale de l’informatique et des Libertés – CNIL) has imposed a €50 Million fine to Google LLC for lack of transparency, inadequately provided information and invalid consent in relation to ads personalization.
Starting from the day GDPR came into force, CNIL has received two group complaints from the associations None of Your Business (NOYB) and La Quadrature du Net (LQDN). Both aforementioned organisations claimed that Google did not have a solid legal base for processing personal data of its users, in particular for personalized ads purposes.
It appears important to highlight that, Google European headquarter is based in Ireland. Then, according to the one-stop-shop (OOS) principle, an organisation shall have only one interlocutor: which normally is the Data Protection Authority of the country where company establishment is located. Therefore, we would have expected that Irish Commissioner would have been considered as lead authority sanctioning Google for its infractions. However, in this particular case, it has not been possible to consider that Google had a main establishment in the EU. Then, under these circumstances, the OOS principle was not applicable and CNIL has been considered the competent lead authority to take decisions about the case.
As mentioned before, Google has been fined for violating two obligations: a) obligation of transparency and information, b) obligation of having legal basis for personalized ads data processing.
Violation of the obligation of transparency and information
CNIL has noticed that data information provided by Google was not easily accessible by European data subjects. In fact, relevant information such as: personal data retention period, data processing purposes, categories of personal data also used for ads personalization was dispersive and included across several documents reachable through a series of links and buttons. Then, essential information is accessible after several passages only. Furthermore, data subjects were not able to fully understand the extent of Google processing operations since purposes of processing and legal basis of such processing operations is not clear enough.
Violation of the obligation to have legal basis for ads personalization processing