Following an inspection of Google LLC, the restricted committee of the French Commission Nationale de l’Informatique et des Libertés (hereinafter referred to as the “CNIL”) decided that there are two types of breaches of the French Data Protection Act and the General Data Protection Regulation (“GDPR”) by Google LLC and imposed a penalty of 50 million euro.
The two types of breaches are the following:
1. Violation of transparency and information
The first breach concerns the violation of the obligations of transparency and information. It is decided that the information provided by Google LLC is not easily accessible for its users and that some information is confusing and incomplete. It is further decided that the use of data and the purposes of processing are vaguely explained to the users and users cannot fully understand the extent of the processing carried out by Google LLC.
2. Violation of the obligation to have a legal basis for ads personalization processing
The second breach is related to the legal basis of consent. The CNIL’s restricted committee decided that the consent obtained by Google LLC to process data for ads personalization purposes is not validly obtained as “consent is neither specific or unambiguous”. It is further explained that the GDPR provides that consent is specific only if it is given distinctly for each purpose and this does not apply in Google LLC’s case.
Measures to be taken in order to comply
In view of the above, companies should take all necessary steps to comply with the GDPR as the national data protection commissions all over the European Economic Area have started to impose penalties. It is expected that other national data protection commissions will follow CNIL’s example of imposing extremely high fines soon. As an outcome from the CNIL’s decision, companies are advised to:
- Enable users to have easy access to their data
- Be specific when stating what data is being collected and how it is to be used
- Provide users with clear, easily accessed and easy to read data
The above-mentioned measures cannot of course guarantee full compliance with the GDPR. Complying with the GDPR is an ongoing undertaking; thus there is a series of steps need to be taken so as to acquire full compliance. At GLOBALSERVE, our experts have been providing GDPR compliance services since before the GDPR has entered into force and can assist you on any GDPR-related issue.