WTF!?! CNIL Fines GOOGLE $57 Million under GDPR

 Jan 22, 2019 10:00 AM
by Derek Lackey

The early fines to American tech firms will reveal another level of guidance from the Data Protection Authorities. First you should read the LAW. Then seek clarity from the official guidance documents. Then finally, look to the details of the violations. WHAT they fine for is critical information for operations people to set new practices. HOW MUCH they fine for is critical for business risk analysis.

The recent fine from CNIL for GOOGLE is based on "the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations."


CNIL claim that when setting up an Android device (GOOGLE) consents for processing data must be 

  • clear, 
  • unambiguous, 
  • easy to understand, 
  • easily accessible, 
  • communicate a legal basis for processing,  and 
  • must show a positive action on the part of the data subject.

Specifically, when signing up for an Android account the purpose of processing your personal data is far too generic and of a "vague manner". The same could be said for communicating "the CATEGORIES of data processing for various purposes". With more than 20 different service offerings, GOOGLE 's consent requests are not easily understood. It must be clear for each type of consent which legal basis for processing is being claimed AND how long GOOGLE planned to keep that information.

Therefore the consent GOOGLE believes they have, is not considered valid by the CNIL. While it "is possible to configure the display of personalized ads", CNIL determined that GOOGLE was "not sufficiently informed regarding the extent of the consents requested". GOOGLE was neither "specific" nor "unambiguous". In fact many of those consents were not easily accessed and when they were, the boxes were pre-checked, therfore no positive action was required on behalf of the data subject.

Finally, in order to set up an account, the user must agree to Terms of Service - "I agree to Google’s Terms of Service» as well as  « I agree to the processing of my information as described above and further explained in the Privacy Policy». GDPR requires "specific consent". It is only valid if it is "provided distinctly for each purpose."

It is important to note: "the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement." Look for GOOGLE to be fined again for these very same activities if these practices are not corrected immediately.