Google Loses Appeal of €50m GDPR Fine from the French RegulatorLast Friday it was revealed that Google had been unsuccessful in the appeal of the €50m General Data Protection Regulation fine which was sanctioned against by the French data protection authority, the CNIL (Commission nationale de l’informatique et des libertés), in January 2019.
This particular penalty, one of many GDPR complaints that the Internet giant is currently dealing with. was sanctioned due to there being a non-transparent consent gathering process which doesn’t allow sufficient data to make an informed decision and the absence of a proper legal basis for processing personal data for advertising purposes.
Complaints were initially submitted to the CNIL by the max Schrems-founded data privacy advocacy group ‘None of Your Business’ and the French group ‘Quadrature du Net’ group on behalf of 10,000 signatories. In the appeal hearing the Conseil d’État, a section of the French government that acts as the supreme court of administrative justice, denied the request of the Internet giant to have the penalty dismissed.
Following the announcement of the penalty in 2019, Google moved quickly to appeal the CNIL decision. The group released a statement which said it was “concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond” and defended its consent process for serving personalized ads.
The appeal was filed on the basis that the French DPA doesn’t have jurisdiction over Google’s European headquarters as the office is located in Dublin, Ireland. Due to this, it was argued, the Irish Data Protection Commission is that body that should be leading all investigations into complaints regarding its practices. However the Conseil d’État did not accept this argument.
Last January when the fine was applied it was the largest issued under the GDPR legislation which became enforceable on May 25 2018. However it has since been surpassed by the financial penalty that was sanctioned against British Airway by the Information Commissioner’s Office in the United Kingdom – a €204m ($229m) in July 2019 in relation to a 2018 data breach. The CNIL and ICO have, to date, been more more active in holding companies to account, financially, for GDPR data breaches whereas the Irish agency appear to be taking a more lenient approach.
Following the hearing last January Schrems responded to the news in saying: “We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law. Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”