Google has lost an appeal against a $56 million GDPR fine by CNIL, the data protection authority in France. The fine was issued last year when Google was accused of not making it “sufficiently clear” to Android users on how the company processes their personal data. France’s State Council, the highest court for administrative law, rejected Google’s appeal against the fine. The State Council agreed that the size of the fine was appropriate, especially due to both the severity and the continued presence of violations. Additionally, the court asserted that the CNIL has jurisdiction to regulate Google, and by extension, other large tech giants.
This fine against Google is the largest so far for a technology firm under Europe’s data protection law, the GDPR. Though the fine is relatively low in comparison to Google’s revenue, it may be enough to encourage the company to make changes on how it looks after consumer data.
Consent must be “informed, specific, and freely given” for it be valid under GDPR. French judges determined that Google did not provide enough clear information to obtain lawful consent. For example, having a pre-ticked checkbox is not compliant with GDPR. Since consent is a fundamental aspect of the regulation, it’s important that companies both small and large are getting it right. Our award-winning Data Protection Officer service helps clients to ensure they are on the right side of the regulation when obtaining consent.
A breach of the regulation can lead to a fine up to 4% of annual turnover or £500,000.
A Google spokeswoman released a statement on the court’s decision, saying,
People expect to understand and control how their data is used, and we’ve invested in industry-leading tools that help them do both. This case was not about whether consent is needed for personalised advertising, but about how exactly it should be obtained. In light of this decision, we will now review what changes we need to make.
A warning to tech giants
Many European countries have started to fine large tech companies for breaching GDPR. Earlier this month, AEPD, the Spanish data authority fined Twitter €30,000 for using an unlawful cookie banner. Similarly, Ireland’s data watchdog is investigating complaints against Google’s use of ad-tech and location data.
NGO NoYB (None of Your Business), one of the privacy groups who first lodged a complaint against Google stated that they “welcomed the court’s decision on all fronts, including the jurisdiction point”.
Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.