France: CNIL fines Google €50M for GDPR compliance failures
The French data protection authority ('CNIL') announced, on 21 January 2019, that it had issued a €50 million fine against Google LLC for compliance violations under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), further to complaints filed by La Quadrature du Net and none of your business and subsequent investigations. In particular, CNIL found that Google did not provide users with information relating to the purpose of data processing and data retention periods for marketing purposes in a clear and comprehensive way, as required by the transparency and information obligations under Articles 12 and 13 of the GDPR.
Furthermore, CNIL held that Google did not have a legal basis, under Article 6 of the GDPR, for the processing of user data for personalised advertising, as consent had not been validly collected, since it was not specific or unambiguous, and users were not sufficiently informed as to the extent to which they were consenting to the data processing. Finally, CNIL stated that in determining the amount of the fine, under the new maximum penalties of the GDPR, it considered the seriousness of the shortcomings affecting fundamental principles under the GDPR and the potential risks on Google users, and noted that Google's violations were ongoing.