On 1 March 2012, Google decided to merge into one single policy the different privacy policies applicable to about sixty of its services, including Google Search, YouTube, Gmail, Picasa, Google Drive, Google Docs, Google Maps, etc. Nearly all Internet users in France are impacted by this decision due to the number of services concerned.
In this context, the CNIL's Sanctions Committee issued a monetary penalty of 150 000 € to Google Inc. on 3 January 2014, upon considering that it did not comply with several provisions of the French Data Protection Act.
In its decision, the Sanctions Committee considers that the data processed by the company about the users of its services in France must be qualified as personal data. It also judged that French law applies to the processing of personal data relating to Internet users established in France, contrary to the company's claim.
On the substance of the case, the Sanctions Committee did not challenge the legitimacy of the simplification objective pursued by the company’s merging of its privacy policies.
Yet, it considers that the conditions under which this single policy is implemented are contrary to several legal requirements:
These conclusions are similar to those laid down by the Dutch and Spanish Data Protection Authorities in November and December 2013 on the basis of their respective national laws.
This financial penalty is the highest which the Committee has issued until now. It is justified by the number and the seriousness of the breaches stated in the case.
Furthermore, the Sanctions Committee ordered Google Inc. to publish a communiqué on this decision on the website https://www.google.fr, during 48 hours, within eight days as of the notification of the decision. This publicity measure is justified by the extent of Google’s data collection, as well as by the necessity to inform the persons concerned who are not in a capacity to exercise their rights.