Google hit with €50m fine under Europe’s tough new GDPR rules

22 Jan 2019

Image: © tanaonte/

This is the first case of a US tech giant being caught under GDPR.

France’s data protection authority CNIL (Commission Nationale de l’Informatique et des Libertés) has hit search giant Google with a €50m fine for allegedly breaking EU privacy laws.

This is the first major case of a fine being issued to a US tech giant under Europe’s General Data Protection Regulation (GDPR), which was introduced in May 2018.

‘We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law’

Under GDPR rules, EU regulators can fine companies as much as €20m or 4pc of their turnover, whichever is highest.

Privacy in the age of Android

The heart of this particular case was allegations that Google failed to comply with GDPR in instances where Android users set up a new phone and followed the Android onboarding process.

CNIL ruled that Google was guilty of breaking EU privacy laws by failing to obtain adequate consent from users when processing their data for the purpose of personalised advertising. The French regulator also found that Google did not provide clear and easily accessible information to consumers about how their information is collected and held.

CNIL stated: “Despite the measures implemented by Google (documentation and configuration tools), the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations.”

Even though Google falls under the jurisdiction of Ireland’s Data Protection Commissioner (DPC) because its European headquarters is in Dublin, CNIL decided not to apply the one-stop-shop mechanism because the DPC does not have decision-making power on the processing operations in the context of setting up an Android phone.

The CNIL said it implemented the new European framework as interpreted by all relevant authorities in the European Data Protection Board’s (EDPB) guidelines.

The fine was welcomed by Austrian activist lawyer Max Schrems of NOYB (None of Your Business). “We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law,” he said.

“Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”

Is Privacy Shield adequate protection for European users?

The application of GDPR by a regulator in Europe outside of the one-stop-shop mechanism must surely be arresting another internet giant’s interest: Facebook.

In related news, Facebook has launched an appeal at Ireland’s Supreme Court aimed at halting the High Court’s referral to the Court of Justice of the EU over the validity of EU-US data transfers.

At the heart of the matter is whether US internet giants such as Facebook can freely send user data across the Atlantic to the US where, it is being argued, there is an apparent paucity in data regulation and users’ data can be sifted through by intelligence agencies.

The Irish DPC is opposing the appeal. It raised concerns about mass indiscriminate processing of users’ data by US government agencies under the PRISM and Upstream programmes.

Facebook is disputing the High Court’s views that the US lacks a comprehensive data protection code and argues that the regulations set down under Privacy Shield over EU-US data transfers are binding.

The case will run in the Supreme Court over a three-day period before five judges.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years