In January 2019, the French data protection authority, CNIL (Commission Nationale de l’informatique et des libertés), announced that it had fined Google 57 million euros (approximately £44 million or USD$65 million) for breaching the EU’s General Data Protection Regulation (GDPR) through its use of targeted advertising.

The fine arose out of complaints made against Google to CNIL by privacy activists immediately after the GDPR came into force in May 2018. At the time of writing, it is the largest data protection fine ever issued – but what can we learn from CNIL’s decision?

  1. European data protection authorities (DPAs) have teeth now, and they aren’t afraid to use them

The GDPR gave DPAs enormous fining powers – organizations can be fined up to 4% of annual worldwide turnover or 20 million euros (whichever is greater) for violations of the GDPR.  The fine issued to Google is sending a clear message: DPAs intend to use their powers.

  1. Watch out: there are agitators in the data protection space

This fine resulted from complaints made to CNIL by two pressure groups: NOYB (None of Your Business), a not-for-profit organization founded by Max Schrems, the activist best known for making complaints which eventually led to the collapse of the EU-US Safe Harbor regime; and La Quadrature de Net (LQDN), a French advocacy group that promotes digital rights and freedom of citizens.

Unlike other areas of regulation, there are lots of interested parties in the privacy space – data subjects, competitors, regulators, and privacy activists – which makes it particularly high risk.

  1. The DPAs have their eye on targeted advertisements

In 2018, before issuing this fine, CNIL issued four decisions against small French ad-tech companies providing ad-targeting and marketing services based on geolocation data to retailers. In these cases, CNIL looked into the validity of consent collected from mobile app users for the collection and processing of their geolocation data for ad-targeting processes.

This fine, and CNIL’s previous investigations, send a message to the ad-tech sector: you need to be particularly meticulous about GDPR compliance.

  1. Don’t think you can necessarily “select” your lead supervisory authority

The “lead supervisory authority” concept under the GDPR has led many companies – particularly those based outside the EU – to assume that because they have an EU HQ in one Member State, the DPA in that Member State will always be their lead supervisory authority. But CNIL took the lead in this investigation, even though Google has its EU headquarters in Ireland – because the complaints were made against Google LLC (the American entity) in France. The Irish DPA did not have decision-making powers with respect to the offending services.

  1. Transparency is key: make sure your privacy notice is clear, concise, and easily accessible…

Under the GDPR, data subjects are entitled to receive certain information from data controllers in relation to their processing activities, usually by way of a privacy notice.

CNIL found that in Google’s case, that information was not easily accessible, clear, or comprehensive. They observed that “[e]ssential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalisation, are excessively disseminated across several documents… the relevant information is accessible after several steps only.”


Stay tuned for Part Two where we will examine Lessons 6- 10.