Data Protection

Google hit with €50 Million fine over GDPR Violation

23 Jan 2019

2 min read

On the 25th May 2018, the same day on which the General Data Protection Regulation (“GDPR”) came into effect, complaints were filed against Google by two groups which advocate for privacy rights. The complaints were filed in France with the French data protection authority, the National Commission on Informatics and Liberty (“CNIL”). The complaints alleged that Google did not have a valid legal basis to process user data for the purpose of ad personalization.

The GDPR sets up a one-stop-shop mechanism which provides for the coordination of data protection authorities within the EU. In this case, Google’s European headquarters are situated in Ireland and the CNIL had to assess whether it was competent to deal with the complaints. It was established that Irish data protection authority did not have “decision-making powers” over Google’s Android operating system and Google’s services and thus CNIL was competent to take any decision regarding processing operations carried out by Google.

In its statement, CNIL held that Google was in violation of the obligation of transparency and information since users are not able to fully understand the extent of the data processing operations to which their personal data is subject. This is mainly due to generic and vague descriptions of the purposes for data processing as well as lack of information with regards to retention periods for some data. The current processing operations do not allow a user to be aware of the plurality of websites and applications (Google search, You Tube, Google Maps, Playstore etc.) and the amount of data processed and combined. CNIL also ruled that Google is not seeking clear, specific and unambiguous consent for all the different ways it processes data and contrary to the GDPR, pre-ticked consent boxes are used by Google.

CNIL fined Google €50 million – the largest GDPR penalty levied against a US Company to date. Although the fine may seem high, it is not exorbitant when compared to the fact that the GDPR allows a company to be fined a maximum of 4 percent of its annual global turnover, and Google’s earnings in the third quarter of 2018 alone amounted to $33.74 billion.

For further information about how GVZH Advocates can help you with your data protection legal requirements, kindly contact us on