Blog » 50 MILLION EURO GIGA GDPR-FINE FOR GOOGLE – SURE WE HAVE A COMMENT!
50 MILLION EURO GIGA GDPR-FINE FOR GOOGLE – SURE WE HAVE A COMMENT!
06 February 2019
During the preparation of the GDPR, it was often pointed out in professional circles that Google and Facebook are the primary targets of the strictest data protection regime of the world. Well, a little more than half a year after the GDPR entered into force, the sword of the French data protection authority has hit Google. Let’s see why the authority awarded the tech-giant with a modest fine of 50 Million Euros?
1. Why did the authority initiate the investigation?
The first day of the applicability of the GDPR has just come and the representative associations None Of Your Business and La Quadrature de Net have gone straight to the French data protection authority (CNIL) to make complaints against Google.
The two associations collected the complaints of almost 10.000 data subjects and objected to Google’s data processing and data protection practices on similar grounds.
The major problem of the associations was that Google does not have a valid legal basis for processing personal data, especially when it comes to the data processing for ads personalization purposes. The complaint of the None Of Your Business concerned mainly the data processing in relation with the usage of the Android operation system.
2. Why did the French authority act?
The fact that the representative associations filed the complaints with the CNIL, did not make it fully clear that the French authority shall make the investigation. Indeed, Google claimed that he has his main European establishment in Ireland, thus the Irish data protection authority should examine the complaints.
Nevertheless, CNIL did not let to stop itself so easily. After a thorough examination, CNIL established that the Irish subsidiary of Google cannot be considered as a main establishment. The reason for that is that the Irish company does not have real decision-making powers in relation with the data processing, more precisely it does not define the purposes and means of the data processing.
After overcoming the competency obstacle, CNIL could start the examination of the substantive issues.
At first, CNIL has carried out a deep assessment of the information provided by Google for the users about the processing of their personal data and to put it mildly, he was not impressed at all.
Furthermore, the policies are not suitable for the users to understand the essence of Google’s data processing activities and their consequences to their private lives.
For example, the purposes of the data processing are described in a too generic manner and often the retention periods of the data are not defined.
4. What is the problem with the consent gained by Google?
Google thought that there could be no problem with the legal basis of its data processing since the users have given their consent, for instance when they created a Google account.
However, it is true that the users have given consent, but in CNIL’s opinion the consent is not valid for more reasons. As the information provided by Google about the data processing, as said earlier, is not appropriate, it is obvious that the consent based on that information is also inadequate. Indeed, the condition of a valid consent is that it is based on sufficient information.
The other, maybe even more serious problem is that the ’consent’ collected from the users is neither specific nor unambiguous.
The reason for that is that Google has often used pre-ticked checkboxes for its consent requests. That means that the users should have done extra steps for not to consent to the data processing and not vice versa. But the ’silence means consent’ approach does not work based on the GDPR.
Moreover, Google has not requested the consent distinctly for each data processing purpose, but he made the user consent in full to every data processing purpose with one (pre-ticked) checkbox. And you do not need to be a data protection expert to understand that this is not OK.
5. Why is the amount of the fine 50 Million Euros?
Let’s see why CNIL was so ‘generous’ with the level of the fine-
To start, CNIL has considered that Google breached essential data protection obligations, in addition really seriously, like having a valid legal basis for the data processing and providing sufficient information to the data subjects about the data processing.
When assessing the level of the fine, CNIL has taken into account the industrial role of Google, meaning that Google processes a huge amount of data of many data subjects, since in France thousands of people create a Google account every day.
Further, among the data there are also sensitive ones such as which kind of applications are used or what are the shopping habits of the user. Moreover, Google’ economic model is partly based on ads personalization thus it needs to be expected that if Google does it then he shall do it right (at least from data protection point of view).
Finally, CNIL has considered that this is not a one-off, time limited infringement, but Google breaches the GDPR since a long time until this very day.
We are curiously waiting for the afterlife of the decision since it is not final yet. Indeed, the case could affect all applications developed for Android and every data processing which could have connection with Google such as the analysis of the webpages with Google Analytics. If there is any update, we sure will inform you.
IS THE JUDGE BIASED BECAUSE OF UNFAVOURABLE JUDGMENT IN OTHER CASE?
Can a judge be disqualified from deciding the legal dispute on the grounds of bias if he has delivered a judgment unfavourable to the plaintiff in another case? Can a court be biased if the plaintiff has "challenged" a previous decision of the court before the European Court of Human Rights? In this article, we answer these questions by analysing a recent judgment of the Hungarian Supreme Court.Read more »
CAN INCOMPATIBLE WORKPLACE BEHAVIOUR BE A GROUND FOR DISMISSAL IN HUNGARY?
Refusal of employer 's instructions, unjustified absence, intentional damage: some cases where the justification for dismissing an employee is relatively easy to determine. What happens, however, if the employee does not commit a severe breach of duty similar to the one above, but his or her colleagues consider him incompatible, with whom it is impossible to cooperate, or even afraid of him or her. Can dismissal be justified by behaviour that is incompatible with others and creates disharmony in the working environment? In our article, we seek the answer to this question in the light of Hungarian judicial practice.Read more »
CAN A JUDICIAL ERROR CREATE HUNGARIAN JURISDICTION DESPITE A PLACE OF PERFORMANCE ABROAD?
Can a defendant, domiciled abroad, be sued in Hungary under the Brussels I Regulation in the event of defective performance of an international sales contract if the place of performance is abroad? Can the jurisdiction of a Hungarian court be established based on the fact that the lower court expressly established its jurisdiction at the beginning of the litigation? How is the EXW clause to be interpreted within the meaning of the Brussels I Regulation? In our article, we analyse the recent decision of the Supreme Court of Hungary.Read more »