Alex van der Wolk, Ronan Tigner, and Robert N. Famigletti
Privacy + Data Security
The Commission nationale de l’informatique et des libertés (CNIL), France’s data protection authority (DPA), has levied a €50 million fine against Google for allegedly violating the GDPR’s transparency, information, and consent requirements in deploying targeted advertisements. The fine—the largest fine under GDPR to date and the first involving a U.S. technology company—was issued on January 21, 2019, and sheds additional light on the CNIL’s GDPR enforcement priorities and practices.
THE CNIL’S FINDINGS
The CNIL indicated that it relied on four factors in particular in issuing its €50 million fine (and ordering the publication of the decision):
It is further noteworthy that the CNIL does not substantiate how it got to the amount of €50 million. Although the CNIL explicitly indicates that the infringements at hand would be subject to the GDPR’s 4% maximum fine and in that regard also refers to Google’s 2017 global revenue of €96 billion, it is clear that the CNIL did not impose the maximum fine. However, other than indicating that a fine of €50 million seems “justified,” the CNIL provides no reasoning as to how it got to any starting amount or even how the factors referred to above influenced the ultimate amount. As we have indicated before (see our article on the GDPR’s sanctions framework and a comparison with competition fines here), it would be highly recommended for DPAs (or even the EDPB at the EU level) to issue penalty guidelines that provide for internal guidance on how to determine the amount of fines (similar to what the European Commission has done for antitrust fines).
Finally, the CNIL did not provide Google with a prior notice (mise en demeure) to correct the infringements it identified (although Google was provided with a report explaining alleged infringements and communicated its observations to the CNIL ahead of its decision).
Google now has four months from its notification of the decision by the CNIL to appeal the decision before the French Council of State.
The CNIL’s press release can be found here (in English). The CNIL’s full decision can be found here (in French).
Rob Famigletti, a Privacy Analyst in the firm’s New York office, assisted in the preparation of this client alert.
©1996-2019 Morrison & Foerster LLP. All rights reserved.