In France, the first high penalty was imposed under the General Data Protection Regulation (GDPR). Google did not sufficiently meet the new requirements, the local data protection authority decided. The procedure initiated by the data protector Max Schrems.
The first big penalty in connection with the EU General Data Protection Regulation will be charged to Google in France with 50 million euros. The French Data Protection Authority (CNIL) found violations of the GDPR applicable since 25 May 2018.
Among other things, information on the use of the data collected and the storage period for users are not easily accessible, the authority said on January 21, 2019. They were spread over several documents and users would have to click through several links and buttons. In addition, some of the information is unclear.
“Sometimes it takes up to 5 clicks to access information,” he added, noting that Google does not provide “clear and comprehensible information”, Mathias Moulin continued. Finally, Google may appeal this decision to the State Council, the highest administrative jurisdiction in France.
In addition, Google’s consent to display personalized advertising is not valid because users are not sufficiently informed. So the variety of participating Google services such as Youtube, Google Maps or the Internet search is not apparent, said the CNIL.
The Internet company said it wanted to decide after a detailed examination of the decision on how to proceed in the case. Google was determined to meet users’ high expectations of transparency and control over the data. For the Internet company, the fine is a small amount. For example, Google had digested the EU Commission’s two-billion-euro antitrust fine in just one quarter each.
The highest DSGVO penalty so far
It was the first punishment of the authority after the DSGVO. According to the regulation, fines of up to four percent of the annual turnover of a company can be imposed. The maximum penalty for Google would, according to the data protector Noyb 3.7 billion euros. Among other things, the GDPR provides that companies must inform users transparently about the use of their data.
The investigation was triggered by complaints from the privacy organizations La Quadrature du Net and Noyb (from: None Of Your Business) by the well-known Facebook critic Max Schrems. They were submitted directly after the entry into force of the GDPR, the authority had checked the websites in September. Schrems explained after the CNIL decision that big corporations like Google would have adapted their offers only superficially. “It is important that the authorities clarify that that is not enough.” Noyb also filed a DSGVO appeal against Facebook and its Instagram and Whatsapp services .