"To protect personal data, support innovation, preserve individual liberties"

Contenu

The CNIL's Sanctions Committee issues a 150 000 € monetary penalty to GOOGLE Inc.

08 January 2014

On 3 January 2014, the CNIL's Sanctions Committee issued a 150 000 € monetary penalty to GOOGLE Inc. upon considering that the privacy policy implemented since 1 March 2012 does not comply with the French Data Protection Act. It ordered the company to publish a communiqué on this decision on its homepage Google.fr, within eight days as of its notification.

On 1 March 2012, Google decided to merge into one single policy the different privacy policies applicable to about sixty of its services, including Google Search, YouTube, Gmail, Picasa, Google Drive, Google Docs, Google Maps, etc. Nearly all Internet users in France are impacted by this decision due to the number of services concerned.

The « G29 » (the Working Group of all EU Data Protection Authorities) then decided to carry out an assessment of this privacy policy. It concluded that it failed to comply with the EU legal framework and correspondingly issued several recommendations, which Google Inc. did not effectively follow-up upon. Consequently, six EU Authorities individually initiated enforcement proceedings against the company.

In this context, the CNIL's Sanctions Committee issued a monetary penalty of 150 000 € to Google Inc. on 3 January 2014, upon considering that it did not comply with several provisions of the French Data Protection Act.

In its decision, the Sanctions Committee considers that the data processed by the company about the users of its services in France must be qualified as personal data. It also judged that French law applies to the processing of personal data relating to Internet users established in France, contrary to the company's claim.

On the substance of the case, the Sanctions Committee did not challenge the legitimacy of the simplification objective pursued by the company’s merging of its privacy policies.

Yet, it considers that the conditions under which this single policy is implemented are contrary to several legal requirements:

  • The company does not sufficiently inform its users of the conditions in which their personal data are processed, nor of the purposes of this processing. They may therefore neither understand the purposes for which their data are collected, which are not specific as the law requires, nor the ambit of the data collected through the different services concerned. Consequently, they are not able to exercise their rights, in particular their right of access, objection or deletion.
  • The company does not comply with its obligation to obtain user consent prior to the storage of cookies on their terminals.
  • It fails to define retention periods applicable to the data which it processes.
  • Finally, it permits itself to combine all the data it collects about its users across all of its services without any legal basis.

These conclusions are similar to those laid down by the Dutch and Spanish Data Protection Authorities in November and December 2013 on the basis of their respective national laws.

This financial penalty is the highest which the Committee has issued until now.  It is justified by the number and the seriousness of the breaches stated in the case.

Furthermore, the Sanctions Committee ordered Google Inc. to publish a communiqué on this decision on the website https://www.google.fr, during 48 hours, within eight days as of the notification of the decision. This publicity measure is justified by the extent of Google’s data collection, as well as by the necessity to inform the persons concerned who are not in a capacity to exercise their rights.

Chargement en cours...