50 million Euro fine upheld for Google due to GDPR breach

Remember the 50 million Euro fine levied against Google in May 2018 by the French data protection authority (CNIL) for its failure to abide by the GDPR? It’s now official – the tech giant has really been asked to pay up. And not only that. In its final ruling French Highest Administrative Court (“Conseil d’Etat”) has also provided clarity as to how genuine user consent must be obtained in the future.

The CNIL had issued a caution to the concern in January 2019 because Google Android users had not been informed clearly enough how their personal data is used. The CNIL complained that the relevant information in Google’s data protection provisions could only be accessed with difficulty and that it was spread over numerous documents, which did not comply with GDPR. Google then filed an appeal. This was then rejected on 19th June 2020 by the Conseil d’Etat.

The reasoning: Google had not provided Android users with “sufficiently clear” information regarding the use of their data for targeted advertising – which by implication meant the concern had not legally obtained consent to use the data for marketing purposes. In short, Google did not comply with the (1) transparency and information duty (2) valid consent from users. 

According to the GDPR, user consent must satisfy certain criteria to serve as an adequate legal basis for the processing of personal data. 

Amongst others things, consent must be: 

 ✔ informed 

 ✔ specific (that is separate for each purpose) and 

 ✔ provided voluntarily.

Consent obtained using pre-ticked boxes are likewise not GDPR compliant because they breach the notion of it being voluntary in nature. This has also been recently confirmed by the court in the Planet 49 case.

It was not the first time that Google had been cautioned by the CNIL. In 2014, before the GDPR had come into force, the data protection authority levied a 150,000 Euro fine against the company – which at that time was the largest possible amount. The reason was Google’s breach of the French data protection regulations. Two years later, another fine amounting to 100,000 Euros was levied due to breach of the “right to be forgotten” through which users can request to be removed from search results.

One thing is clear: A multi-billion dollar company like Google can pay a 50 million Euro fine from its petty cash. However, the tech giant will not be able to gather data as it did so in the past. In view of the fact that – and case law is becoming more and more unanimous here – if advertisers and publishers wish to use user data for marketing purposes, it is only possible with the explicit, voluntary and informed consent of the users.

Consent Management Platforms (CMPs) such as Usercentrics help companies to obtain and process user content in compliance with GDPR. 

⇨ This is because any company gathering data without consent risks not only enormous fines but also the loss of valuable user data and advertising revenues.