France’s CNIL fines Google €50 million for breach of GDPR

France’s National Commission for Information Technology and Civil Liberties (CNIL) has fined Google €50 million for a breach of GDPR. The CNIL’s restricted committee imposed the penalty for “lack of transparency, inadequate information and lack of valid consent regarding the ads personalisation.”.

There are several things about this judgement that will get the attention of boardrooms around the world.

In May of last year, the CNIL received two complaints about Google. They came from privacy campaign groups None Of Your Business (NYOB)and La Quadrature du Net (LQDN). Both alleged that Google was processing personal data of European citizens without having a valid basis to do so. One of the uses of the data was ad personalisation.

Due to the fact that Google is based in Ireland, before taking the case, the CNIL asked Ireland’s ICO if they wanted to deal with it.  Under the EU one-stop-shop mechanism, Ireland would normally be the lead authority in cases like this. However, it was quickly established that Ireland was unable to deal with issues around Android and Google. As a result, the CNIL implemented the European Framework set out by the European Data Protection Board’s guidelines.

An inspection of how Google handled privacy data and responded to requests from users was carried out in September. The CNIL notes that Google breached the GDPR on two counts.

Violation of the obligation of transparency and information

It takes up to 6 separate actions to find what Google holds on a user. In addition the data is confusing and incomplete. This is compounded by deliberate vagueness in the way the use of data and the purposes of processing are explained.

Violation of the obligation to have a legal basis for ads personalisation processing: 

Google claims it has sought and received user consent for ads personalisation. The CNIL says it has not. It claims that the way data is collected and the information provided means that: “consent is neither specific or unambiguous.”

No catch-all phrases

Requiring a user to tick boxes such as “I agree to Google’s Terms of Service” and “I agree to the processing of my information as described above and further explained in the Privacy Policy” is insufficient. The GDPR states consent is specific only if given distinctly for each purpose.

The CNIL state,

This is the first time that the CNIL applies the new sanction limits provided by the GDPR. The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.

Despite the measures implemented by GOOGLE (documentation and configuration tools), the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations. The restricted committee recalls that the extent of these processing operations in question imposes to enable the users to control their data and therefore to sufficiently inform them and allow them to validly consent.

Moreover, the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.

Finally, taking into account the important place that the operating system Android has on the French market, thousands of French people create, every day, a GOOGLE account when using their smartphone. Furthermore, the restricted committee points out that the economic model of the company is partly based on the ads personalisation. Therefore, it is of its utmost responsibility to comply with the obligations on the matter.

This fine just may be a wake-up all to all the companies and websites that are failing to implement the GDPR properly. Clearly, the fear for many websites is that the more they ask for consent, the less they will get. Therefore, they are defaulting to users having to opt-out instead of opting in.

Some of the lessons that companies and websites will have to deal with are:

  • Ensure users are opted-out by default
  • Make it easier for users to get access to their data
  • Remove any ambiguity over what data is being gathered and how it is to be used
  • If the data is processed by third-parties, users need to be fully informed and allowed to opt-out
  • When providing data to users, it must be clear, easily accessed and easy to read
  • The use of catch-all boxes such as “I agree to xxx Terms of Service” and “I agree to the processing of my information as described above and further explained in the Privacy Policy” is insufficient.

Rapid Mobile

Rapid Mobile uses cookies, tokens, and other third party scripts to recognise visitors of our sites and services, remember your settings and privacy choices, and - depending on your settings and privacy choices - enable us and some key partners to collect information about you so that we can improve our services and deliver relevant ads.


By continuing to use our site or clicking I Accept, you agree that Rapid Mobile and our key partners may collect data and use cookies for personalised ads and other purposes, as described more fully in our privacy policy.


You can change your settings at any time by clicking Manage Settings or by visiting our Privacy Centre for more detailed information.


Privacy Settings saved!
Cookie Services

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

These cookies allow us to count visits and traffic sources, so we can measure and improve the performance of our site.

We track anonymized user information to improve our website.
  • _ga
  • _gid
  • _gat

Decline all Services
Accept all Services