First major fine under the GDPR on Google
As you probably know by now, a first major €50 million fine under the GDPR has been imposed by the CNIL (a French data protection office) on Google. In its yesterday’s decision, CNIL ruled that the transparency obligation has been breached by providing information about data processing scattered across several documents, with relevant information accessible only after taking as many as 6 actions in some cases. CNIL also regarded description of purposes of the processing and the categories of data processed as too generic and vague. Further, CNIL also considered that consent to data processing was not sufficiently specific and informed. Additionally, CNIL criticized the mechanism for obtaining consent used by Google (user had to click at “More options”, ads personalization was pre-ticked). Even though more detailed analysis will follow, it seems that the daring approach to compliance might not work so well under the GDPR. DPA’s will require compliance with at least the most basic duties under the GDPR and will not accept anything less. As with many cases involving Google and personal data, a legal battle can be expected, with the CJEU delivering its binding interpretation of the GDPR in a matter of years.