By Carol Umhoefer, Jeanne Dauzier & Mathilde Hallé
Google Inc. receives the largest-ever CNIL fine for having failed to comply with several requirements of French data protection law
In a 2013-420 decision issued on January 3, 2014, the CNIL’s sanctions committee has rejected this argument, on the basis that:
- Google Inc. is established in the French territory via its subsidiary Google France SARL, which is effectively involved in data processing activities (notably for online advertising purposes); and
- Google Inc. is using, for purposes of processing personal data, means of processing that are situated in the French territory (i.e., cookies);
The committee further considered that:
- Google Inc. does not sufficiently inform its users about the conditions and purposes of the processing of their personal data, thus making it more difficult for users to assert their rights to access and correct their data;
- Google Inc. fails to obtain user consent before placing cookies on terminals;
- Google Inc. does not set specific retention periods for processed data;
- Google Inc. combines all the data collected via its online services without demonstrating the legal basis for such combination.
With this decision, the CNIL has issued its largest-ever fine. The previous record was already held by Google Inc., which was fined EUR 100,000 in March 2011 for unlawful collection of personal data via the Street View service.
The CNIL also ordered Google. Inc to display on its homepage (https://www.google.fr), during 48 hours and within 8 days as from the decision’s notification, a communiqué with respect to this decision. As of today, no such communiqué has been published by Google on its home page.
Should you have any further questions regarding to the above, please contact Carol Umhoefer (firstname.lastname@example.org), Jeanne Dauzier (email@example.com) or Mathilde Hallé (firstname.lastname@example.org).