What you can learn from tech giant’s data protection mistakes

in Legal, 13.02.2019

The French data protection authority imposed a fine of 50 million euros against Google for violating the EU’s General Data Protection Regulation (GDPR) principles. What does this decision mean for your business, for your website and for your processes?

On 21 January 2019, the French supervisory authority for data protection, Commission Nationale de l`Informatique et des Libertès (CNIL), imposed a fine of 50 million euros against Google for “lack of transparency, inadequate information and lack of valid consent” regarding its ads personalization process for users. The full decision in French can be found here.

The case was instigated by two associations, namely None of your Business and La Quadrature du Net, which gathered in total of 9,974 complaints and was filed the day the GDPR came into force on 25 May 2018.

Violations observed by CNIL

The breach of the new GDPR was seen to consist of obstacles faced by the users while gaining access during the initial configuration of mobile phones using an Android operating system. The set-up architecture required five different actions to access the information related to ads personalization and six different actions related to geolocation. In particular, if the users wished to find information on processing operations required by Art. 12, 13 GDPR, they had to go through several documents and hyperlinks to access such information. Users were therefore not aware of the plurality of services, websites and applications and the combined amount of personal data being collected.

Additionally, CNIL found another violation regarding how consent was collected. It was neither “specific” nor “unambiguous” and that it could not, therefore, have been deemed as “sufficiently informed”. In the account personalization settings, which contains the choice of displaying personalized ads, there were several boxes pre-checked by default. But consent is unambiguous only if the data subject takes a deliberate action to consent to a particular processing method by making a clear affirmative act – in this case checking a box.

Finally, before the users created an account, they were asked to tick the box “I agree to Google’s Terms of Service” and “I agree to the processing of my information as described above and further stated in the Privacy Policy”. By consenting and ticking these boxes, consent was given for all processing operations purposes i.e. ads personalization, etc. However, the GDPR requires data controllers (in this case Google) to obtain specific consent, meaning the consent of the data subject must be given in relation to “one or more specific” purposes and that a data subject has a distinct choice in relation to each purpose. This requirement was not fulfilled.

CNIL stated on its web page: “Despite the measures implemented by Google, such as configuration tools and documentation, the infringements observed deprive users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations. “

Criteria behind the decision to penalize Google

The CNIL decided to impose a financial penalty in the amount of 50 million euros against Google, justifying the hefty amount by taking into consideration the following criteria:

  • Nature of the breach – The lawfulness of processing and the obligations of transparency and information are essential, because they ensure the exercise of people’s rights and therefore allow them to maintain control over their personal data;
  • It is a continuous violation – It was not a single and/or one time-off occasional infringement;
  • Gravity of the violation – Considering the predominance of the Android operating system on the French market for mobile operating systems and the number of users in France, in particular the purpose of the processing operations, their scope and the large number of persons concerned.

How to avoid GDPR compliance issues

In light of this specific decision, I’ve compiled a list of important points that might help you to avoid compliance issues under the GDPR:

  • Be open and honest in fulfilling the transparency obligations of the right to be informed. Transparency is about being clear about who you are and how and why you collect personal data. Make sure you inform data subjects accordingly in your contracts, on your websites, etc.
  • Inform data subjects (e.g. your clients, users, etc.) in a way that is concise, intelligible and easily accessible – this means that the information or communication needs to be presented efficiently and succinctly in order to avoid information fatigue. Such information needs to be clearly differentiated from other non-privacy related information such as contractual provisions or general terms of use/business.
  • Do not use pre-ticked boxes or any other type of default consent – meaning any form of silence or inactivity. The data subject must take clear action to opt-in. It must be obvious that a data subject intended to consent – silence is not a valid option.
  • Use clear, plain language that is easy to understand (See: How to Write Clearly by the European Commission).
  • Avoid making consent a general precondition of a service, meaning that you require someone to agree to processing of personal data as a condition of a service. Carefully assess that specific situation because such consent may be invalid.



Our services and further information:


Leave a Reply

Your email address will not be published.