French Data Protection Regulator Levies Maximum Fine Against Google

French Data Protection Regulator Levies Maximum Fine Against Google
French Data Protection Regulator Levies Maximum Fine Against Google

France is one of six European countries taking action against Google after the EU's Article 29 Working Party (that is, a working group comprising representatives of all the national European regulatory bodies) found Google to be in breach of the European laws based on the EU's data protection directive. The other countries taking action are Spain, the Netherlands, Germany, Italy and the UK. Last month the Spanish authorities fined Google €900,000. At the end of November the Dutch authorities declared Google in breach of Dutch laws but asked for further talks before deciding on specific enforcement action. The other countries are still deliberating.

At issue is Google's merging of all of its separate privacy policies into one single policy on 1 March 2012. This combines the policies of around 60 separate services into a single policy in a manner that contravenes European law. Specifically, CNIL raises four concerns. Firstly, Google "does not sufficiently inform its users of the conditions in which their personal data are processed, nor of the purposes of this processing." As a result of this, users "are not able to exercise their rights, in particular their right of access, objection or deletion."

Secondly, Google does not comply with its obligation to obtain user consent for the use of cookies. Thirdly, Google does not specify how long it will keep the personal data it processes. And fourthly, it combines the user data it collects from its different services "without any legal basis." These conclusions, adds CNIL, "are similar to those laid down by the Dutch and Spanish Data Protection Authorities in November and December 2013 on the basis of their respective national laws."

CNIL issued its monetary penalty on 3 January. It also "ordered Google Inc. to publish a communiqué on this decision on the website," for a period of 48 hours, "within eight days as of the notification of the decision."

“Google’s continued violation of and obstinacy against EU data protection rules is deeply concerning, not just to the average consumer, but also to the schools, governments, hospitals and businesses that Google is increasingly targeting," commented  Jeff Gould, President of "There is an inherent conflict of interest in allowing the world’s largest advertising company to collect, process and store such sensitive personal data. We encourage Data Protection Authorities to look specifically at this issue as they continue to investigate privacy abuses.”

It is usual for enforcement action to mark the end of an issue; but this is not likely to be the case with Google. It is instructed by the EU regulators to change its behavior but shows no sign of willingness to do so. Its standard response so far has been to deny any wrongdoing, even after the regulators' pronouncements. In this instance, a Google France spokesman told Reuters the company will take note of this decision and consider further action. "Throughout our talks with CNIL, we have explained our privacy policy and how it allows us to create simpler and more efficient services", he said.

Where Google and Europe is concerned, enforcement by the regulatory bodies may well be just the beginning. In two years of discussion Google has shown no sign of complying with the regulators' demands, and insists that they are wrong and it is right in its understanding of European law. It can, of course, pay such fines with little concern – indeed, it would be cheaper to pay the fines than to do anything about them. This is one of the reasons for the inclusion of sanctions based on a percentage of global turnover to be included in the proposed General Data Protection Regulation. 

What’s Hot on Infosecurity Magazine?