On January 21, 2019, the French data protection authority CNIL (National Commission for the Protection of Information and Freedom) imposed a fine on Google LLC for violating the provisions of the GDPR in the amount of EUR 50,000,000. This is the fourth, and so far the highest penalty imposed on the basis of the provisions of the Regulation.
The proceeding in the Google LLC case was initiated after CNIL received complaints against the operation of the company by non-governmental organizations, including the Austrian None of Your Business (NOYB), co-founded by a well-known activist fighting for the right to privacy - Max Schrems. The organization announced that it has already filed further complaints against Spotify, Netfix and YouTube in connection with improper realization of the right of access to data.
CNIL accused Google LLC of wrongful obtaining consents to the processing of personal data and the transfer of information about data processing.
Why a penalty was imposed on Google LLC?
Google LLC did not correctly ensured realization of the right to information on data processing. The information was excessively disseminated across many documents, accessible via links and additional buttons, which made it difficult to obtain complete information about the data processing and required a few additional steps. In addition, the information was not provided in a clear and understandable way, which made it difficult for users to obtain full knowledge, e.g. about the purposes and duration of personal data processing.
Consents obtained from users for data processing in order to personalize the displayed ads were marked by default as given in the application form. The user gave up giving consent only after entering into settings and deselecting the appropriate field. Such a method of obtaining consent has been explicitly recognized as incorrect in the Working Group’s guidelines art. 29 regarding consents. In addition, Google LLC collected only one general consent to the processing of data, despite using them for various purposes. Consent, therefore, did not meet the condition of unambiguity and concreteness. The Office found that Google LLC processed personal data without the correctly expressed consent of the data subjects, and consequently without having a valid legal basis pursuant to art. 6 paragraph 1 of the GDPR.
The amount of penalties for violating the provisions of the GDPR
The penalty imposed on Google LLC could be much higher, because the described violations are punishable by up to 4% of the global annual turnover of the entrepreneur. According to the NYOB calculations, the maximum financial penalty in this case could amount to as much as EUR 3.7 billion.
It is worth noting here that the maximum amount of financial penalties is:
- up to 20,000,000 euros or for an entrepreneur 4% of the total annual turnover from the previous financial year (higher amount applies) - punishment imposed eg for violation of basic data processing principles such as data minimization, limited purpose, transparency, processing personal data without legal basis, for breaching the conditions of obtaining consent for the processing of personal data or for transferring data to third countries and international organizations that are not compliant with the GDPR;
- up to 10,000,000 euros or for the entrepreneur 2% of the total annual turnover from the previous financial year (higher amount applies) - punishment imposed eg for not appointing a data protection supervisor by the obliged entity, no arrangements between data controllers, use of services a data subprocessor without the administrator's consent or also a lack of implementation of appropriate technical and organizational measures to implement the privacy by default and privacy by design principles.
Financial penalties will not always be summarized. If the violation of several provisions of the GDPR occurs within the same or related processing operations, the total amount of the fine can not be higher than the highest penalty for the individual violation.