VGS corporate lawyers
London

+44 2039665531

Milan

+39 0250043613

  • Home
  • Who we are
  • Practice Areas
    • Company law
      • Setting up a company in Italy
      • Corporate governance
      • Bankruptcy
    • Debt Recovery & Credit Collection
    • Arbitration and Mediation
    • Contracts
      • Acquisition Finance
    • White collar crimes
    • Data protection and GDPR
  • People
    • Avv. Valentina Giarrusso
    • Avv. Flavia Di Pilla
    • Avv. Silvia Pellegrini
    • Avv. Giuseppe Ganci
    • Avv. Valentina Improta
    • Dr. Fabrizio Di Patti
    • Avv. Salvatore Fasciana
    • Dr. Yasine Ajlane
  • News & Blog

GDPR: Google fined

  • by VGS' Editorial Board
  • 24 January 2019
  • Comments (0)

On the 21 of January 2019 Google has become the first giant tech company to be hit for the infringing of new General Data Protection Regulation provisions. However, this first relevant disciplinary action is the classic “Tip of the iceberg”.

After eight months of investigations, the French Data Protection Authority (Commission Nationale de l’informatique et des Libertés – CNIL) has imposed a €50 Million fine to Google LLC for lack of transparency, inadequately provided information and invalid consent in relation to ads personalization.

Starting from the day GDPR came into force, CNIL has received two group complaints from the associations None of Your Business (NOYB) and La Quadrature du Net (LQDN). Both aforementioned organisations claimed that Google did not have a solid legal base for processing personal data of its users, in particular for personalized ads purposes. 

It appears important to highlight that, Google European headquarter is based in Ireland. Then, according to the one-stop-shop (OOS) principle, an organisation shall have only one interlocutor: which normally is the Data Protection Authority of the country where company establishment is located. Therefore, we would have expected that Irish Commissioner would have been considered as lead authority sanctioning Google for its infractions. However, in this particular case, it has not been possible to consider that Google had a main establishment in the EU. Then, under these circumstances, the OOS principle was not applicable and CNIL has been considered the competent lead authority to take decisions about the case.

As mentioned before, Google has been fined for violating two obligations: a) obligation of transparency and information, b) obligation of having legal basis for personalized ads data processing.

Violation of the obligation of transparency and information

CNIL has noticed that data information provided by Google was not easily accessible by European data subjects. In fact, relevant information such as: personal data retention period, data processing purposes, categories of personal data also used for ads personalization was dispersive and included across several documents reachable through a series of links and buttons. Then, essential information is accessible after several passages only. Furthermore, data subjects were not able to fully understand the extent of Google processing operations since purposes of processing and legal basis of such processing operations is not clear enough.

Violation of the obligation to have legal basis for ads personalization processing

In such context, CNIL has considered that data subjects’ consent has not been lawfully obtained for two reasons. Firstly, the collected consent was not sufficiently informed. In fact, processing information included within “Ads Personalization” section was disseminated in several documents so that the data subject was not in the position to be aware of the great array of intrusive processing operations. Moreover, the French authority stated that the consent was not “specific” nor “unambiguous”. In the context of ads personalization, the user (only by clicking on “More Options” button) was able to discover that the box for ads personalization was pre-ticked. Moreover, before the creation of Google account, the user is asked to agree to the following text: “I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy”. Then, agreeing with this wide and general text, the user gave the consent for all processing operation purposes carried out by Google. However, this consent cannot be considered as “specific”. In fact, GDPR stated that the consent is specific only in relation to each processing operation purposes.

  • Data Protection
  • European Union
  • GDPR
  • Share:
Previous Article: Italian Startup VISA
Next Article Arbitration under Italian Law

Practice Areas

  • Company law
  • Debt Recovery & Credit Collection
  • Arbitration and Mediation
  • Contracts
  • White collar crimes
  • Data protection and GDPR

Free Consultation

    Tags

    Airbnb Arbitration Artificial Intelligence Auditing Brexit Company Law Company Shares Consent Contracts Cookies Copyright Coronavirus Data DataProcessing Data Protection DPO European Union Eviction Free Title GDPR HealtData HouseHold Agreements Islamic Law Italian Bankruptcy Law Italian Company Law Italian Corporate Law Italian Criminal Law Italian Debt Recovery Italian Entry Visa Italian Intellectual Property Law Italian Legal Advice Italian Privacy Italian Tax Legal guide MedialTreatment Mediation Partnership Patient Personal Data Privacy Processing Research Startup Warranty White Collar Crimes

    Social Links

    • Facebook
    • Instagram
    • LinkedIn

    See also:

    VGS Lawyers

    VGS - Family Lawyers

    © Copyright 2021 | VGS Corporate Lawyers | All right reserved.

    We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.OkPrivacy policy