France’s Data Protection Authority, the CNIL, has today announced a 50 million euro fine on Google LLC for lack of transparency, inadequate information and lack of valid consent regarding the personalisation of advertisements.
The case was initiated by two associations, None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”). LQDN was supported by 10 000 people to refer the matter to the CNIL. The CNIL says that the GDPR “one-stop-shop mechanism” was not applicable as the DPAs consider that Google did not have one main establishment in the European Union.
The CNIL is of the view that the consents collected were neither “specific” nor “unambiguous”. When an account is created, the user can admittedly modify some options associated with the account by clicking on the button “More options” accessible above the button “Create Account”. It is possible to configure the display of personalised ads, the CNIL says.
This fine is the first imposed by the CNIL under the GDPR and it warns that as the infringement is continuing, and it also involves the Android mobile operating system, further sanctions are on the agenda: “It is not a one-off, time-limited, infringement.”
See: La formation restreinte de la CNIL prononce une sanction de 50 millions d’euros à l’encontre de la société GOOGLE LLC