French Court Upholds $56 Million Google GDPR FineLargest Penalty Levied So Far Under EU's Privacy Regulation
Google had appealed the fine that was announced in January 2019 by the Commission nationale de l'informatique et des libertés, or CNIL. In January 2019, the commission found Google lacked transparency and clarity in the way it informs users about its handling of personal data and failed to properly obtain their consent for personalized ads.
The court in its ruling Friday noted that that the information available to consumers is sometimes incomplete, "in particular regarding the data retention period and the purposes of the various processing operations carried out by Google," Reuters reported.
Google tells Information Security Media Group it will review changes the company needs to make in response to the ruling.
"People expect to understand and control how their data is used, and we've invested in industry-leading tools that help them do both," a Google spokesperson says. "This case was not about whether consent is needed for personalized advertising, but about how exactly it should be obtained. In light of this decision, we will now review what changes we need to make."
The CNIL noted when it announced the fine that when someone created an account with Google, the company did not make clear what data it was collecting - as is required under GDPR - nor was it easy to find this information during the sign up process. User consent for data usage was collected via a pre-checked box, which is not allowed under GDPR.
Google's practices were placed in the spotlight after the CNIL followed up on complaints filed by two privacy-focused advocacy groups: None of Your Business and La Quadrature du Net.
GDPR empowers EU data protection authorities to impose fines of up to €20 million ($23 million) or 4% of an organization's annual global revenue - whichever is greater.
- Refuse to give consent as easily as they give consent;
- Withdraw their consent as easily as they gave it;
- Provide consent for each purpose for which data is used;
- Be informed of the identity of the data controllers who set cookies. The list containing the identity of the data controllers must be made available when consent is obtained and must be updated regularly;
In addition, data controllers must be able to demonstrate to the CNIL that they have obtained valid consent.
The court, however, did slap down the CNIL on one item.
"The Council of State annulled the provision of the guidelines prohibiting in a general and absolute manner the practice of the 'cookie walls' by judging that such a prohibition could not appear in an act of flexible law. The CNIL takes note of this decision and will adjust its guidelines and its future recommendation accordingly to comply with it," the CNIL says in a statement.
A "cookie wall" refers to a requirement demanding a website visitor accept the placement of a cookie on their device in order to gain access to a website.