Google to appeal €50m fine by French data protection regulator CNIL

Google claims it 'worked hard' to achieve GDPR compliance

Google is to appeal against its record €50 million fine levied by French data protection regulator CNIL over non-compliance with GDPR, the General Data Protection Regulation.

"We've worked hard to create a GDPR consent process for personalised ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing.

"We're also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond. For all these reasons, we've now decided to appeal," the company said in a statement.

CNIL had concluded that users were "not sufficiently informed" about how Google collected data to personalise advertising and had failed to obtain a valid legal basis to process user data.

Perhaps Google's lawyers didn't read the regulation properly. Other companies should

In effect, it accused Google of obfuscating the information it provides to internet users about the level of information it collects about them. It follows complaints made to CNIL straight after GDPR was introduced in May 2018.

"Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalisation, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information," the regulator wrote.

And, in appealing the fine, it could open itself up to an increase if it fails.

Commenting on Google's decision to appeal, Coffin Mew associate solicitor Guy Cartwright suggested that the company and its legal counsel had "missed the point".

He continued: "Google may well have tried its best, but consent under the GDPR is a high bar that needs to be unequivocal and freely given. How can users give consent to Google using complex algorithms and automated processing when most simply don't understand how these techniques work?

"Relying on an obscure privacy notice and telling us that our privacy is important simply isn't enough. Isn't the question more, should Google be doing this in the first place?

"My view is that this sort of activity may push the boundaries as to what most people think is acceptable if they really understood how these tools worked and where it could lead. When it comes to Google's appeal, I expect the courts to be unforgiving."

He suggested that Google had under-estimated GDPR, and the changes to its business practices that it might require to achieve compliance.

"You might think that a company as big as Google would be on top of its GDPR compliance measures. However, compliance in an organisation like Google is challenging because of the size and complexity of its processing operations. Compliance can, unfortunately, be an afterthought and seen as a hindrance to innovation.

"That is exactly why the principles of ‘privacy by design and default' were made a specific obligation under the GDPR - so that privacy and data protection are not regarded as an afterthought. Perhaps Google's lawyers didn't read the regulation properly. Other companies should."