On January 21, 2019, the Commission nationale de l’informatique et des libertés (French Data Protection Authority) fined Google LLC 50 million euros under EU Regulation known as the General Data Protection Regulation (“GDPR”) for lack of transparency, inadequate information and lack of valid consent as regards personalized advertisements.
This is the largest fine imposed in relation to the GDPR, the key text in the field of data protection, that came into force on May 25, 2018.
On May 25 and May 28, 2018, the French Data Protection Authority received collective complaints from two associations, None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”) filed under the GDPR.
In these two complaints, the associations claimed that Google did not have a valid legal basis to process the personal data of the users of its services, in particular as regard ad personalization.
During an online inspection, the purpose of which was to analyze the browsing pattern of a user and the documents he/she [could] access when creating a Google account during the configuration of his/her mobile device equipment using Android, the French Data Protection Authority discovered two sets of breaches of the GDPR and imposed a 50 million fine on Google. 
While this amount seems immaterial compared to Google’s global annual revenues, the decision of the French Data Protection Authority that concerns solely Android and its activation process, sets a milestone in the application of the GDPR.
To justify the amount of the fine and the publication of the decision, the French Data Protection Authority underlined:
- the seriousness of the identified breaches that concerned basic key principles set out by the GDPR, such as transparency, information and consent;
- the fact that these were continuous breaches of the GDPR, not a one-off, time-limited, infringement;
- the pre-eminent position of the operating system Android on the French market and Google’s business model which is primarily based on ad personalization.
Breach of the transparency and information requirement
According to the French Data Protection Authority, the information provided by Google are not easily accessible by users.
It first questioned the general information architecture implemented by the company.
Essential information, such as the purposes of the data processing, the period during which data are stored or the categories of data used to personalize ads, are excessively disseminated across various documents that include links and buttons that must be clicked on to access additional information.
The relevant information is accessible after several steps only, implying sometimes up to five or six actions by the users.
The French Data Protection Authority then pointed out the lack of clear and understandable information.
It considered that users were not able to fully understand the extent of the processing activities carried out by Google and held that such activities were particularly massive and intrusive given the number of the services offered (some twenty) and the quantity and nature of the data processed and combined.
In particular, the description of the processing purposes was too generic and vague, just like the description of the data collected and processed.
Similarly, the French Data Protection Authority found that the delivered information was not sufficiently clear to make sure that users understand that the legal basis for their data collection and processing relies on user consent, and not Google’s legitimate business purposes.
Lastly, Google did not indicate the retention period for some user data.
Lack of legal basis to process data for personalized advertising
Google claimed that it relied on the users’ consent to process their personal data for the purpose of personalizing ads. The French Data Protection Authority considered that such consent was not validly obtained, thereby invalidating the legal basis of the data processing.
By doing so, the French Data Protection Authority provides valuable information on the consequences of using consent as a legal basis for data processing and identifies legal issues associated with the choice of this legal basis (among the six legal bases provided for under Article 6 of the GDPR) since any infringement in this respect is an aggravating circumstance in determining the financial penalty that will be applied.
First, the users’ consent was not sufficiently informed. According to the French Data Protection Authority, the information on processing activities was diluted in several documents and did not enable users to be aware of the extent of such activities.
For example, in the “Ad Personalization” panel, it is not possible to know exactly the range of services, websites and apps involved in the processing activities (Google search, Youtube, Google home, Google maps, Playstore, Google photo…) and, consequently, the volume of data processed and combined.
Second, the collected consent was neither “specific” nor “unambiguous”.
As per the GDPR, consent is “unambiguous” only if the user makes a clear affirmative action (ticking a non pre-ticked box for example).
Yet, the possibility to change some settings (e.g. display of personalized ads) offered to users when creating an account was held insufficient because i) the user must click on a specific link called “more options” to access the settings, and ii) the option to personalize ads is pre-ticked by default.
According to the GDPR, consent is “specific” only if it is given separately for each purpose of the processing.
However, even before creating his/her account, the user is invited to tick the boxes “I accept the conditions of use of Google” and “I accept that my information is used as described below above and detailed in the privacy rules“ in order to be able to create the account.
According to the French Data Protection Authority, such process leads the user to consent “en bloc” (i.e. in full) to all the processing purposes carried out by Google (ad personalization, speech recognition, etc.).