Print this Post

FRANCE: The CNIL Fines Google Inc. EUR 150,000

By Carol Umhoefer, Jeanne Dauzier & Mathilde Hallé

Google Inc. receives the largest-ever CNIL fine for having failed to comply with several requirements of French data protection law

As explained in our previous post on the ongoing dispute between Google Inc. and several European data protection authorities, including the CNIL (available here), in March 2012, Google decided to merge all of its existing privacy policies in one single document applicable to over 60 different services provided by Google (including, e.g., Google Search, Gmail, Picasa, and Google Maps).  This new privacy policy notably enables Google Inc. to combine any data collected through one service with data from all other services.

In June 2013, the CNIL ordered Google to revise its new privacy policy within three months, so as to make it compliant with French data protection law.  Google did not modify its privacy policy in the allocated time frame notably on the ground that French data protection law is not applicable to the policy.

In a 2013-420 decision issued on January 3, 2014, the CNIL’s sanctions committee has rejected this argument, on the basis that:

  • Google Inc. is established in the French territory via its subsidiary Google France SARL, which is effectively involved in data processing activities (notably for online advertising purposes); and
  • Google Inc. is using, for purposes of processing personal data, means of processing that are situated in the French territory (i.e., cookies);

The committee further considered that:

  • Google Inc. does not sufficiently inform its users about the conditions and purposes of the processing of their personal data, thus making it more difficult for users to assert their rights to access and correct their data;
  • Google Inc. fails to obtain user consent before placing cookies on terminals;
  • Google Inc. does not set specific retention periods for processed data;
  • Google Inc. combines all the data collected via its online services without demonstrating the legal basis for such combination.

With this decision, the CNIL has issued its largest-ever fine. The previous record was already held by Google Inc., which was fined EUR 100,000 in March 2011 for unlawful collection of personal data via the Street View service.

In November 2013, the Dutch data protection authority issued the conclusions of its investigation on Google’s new privacy policy; the Dutch position is very similar to the CNIL’s.  In December 2013 the Spanish data protection authority fined Google Inc. EUR 900,000 on the same grounds.

The CNIL also ordered Google. Inc to display on its homepage (https://www.google.fr), during 48 hours and within 8 days as from the decision’s notification, a communiqué with respect to this decision. As of today, no such communiqué has been published by Google on its home page.  

Should you have any further questions regarding to the above, please contact Carol Umhoefer (carol.umhoefer@dlapiper.com), Jeanne Dauzier (jeanne.dauzier@dlapiper.com) or Mathilde Hallé (mathilde.halle@dlapiper.com).


Permanent link to this article: http://blogs.dlapiper.com/privacymatters/france-the-cnil-fines-google-inc-eur-150000/