The claim was for Google failing to provide adequate information on its data consent policies, with Google’s terms often pre-checked by default
France’s highest administrative authority on Friday dismissed a challenge by Google against a fine of €50m for failing to provide adequate information on its data consent policies.
The fine was imposed in 2019 by France’s data watchdog, the CNIL.
It found at the time that Google made it too difficult for users to understand and manage preferences on how their personal information is used, in particular with regards to targeted advertising.
Its ruling applied principles enshrined in the EU’s strict new General Data Protection Regulation (GDPR). Google then appealed. But on Friday, the council of state, a French government body that is also the court of last resort for matters of administrative justice, confirmed the CNIL ruling.
It agreed that the information Google provides to users “does not meet the requirements of clarity and accessibility required by the GDPR” even when the nature and volume of data collected is “particularly intrusive”.
The council said the CNIL’s record fine is not disproportionate “given the particular seriousness of the breaches committed; their continuous nature and duration; the ceilings provided for by the GDPR (up to 4% of turnover); and Google’s financial situation”.
In a statement, Google said it will “now examine the changes we need to make”.
The matter was brought to the CNIL by two advocacy groups shortly after the landmark GDPR directive came into effect.
One was filed on behalf of some 10,000 signatories by France’s Quadrature du Net group, and the other by None Of Your Business non-profit, created by the Austrian privacy activist Max Schrems.
Schrems had accused Google of securing “forced consent” via its Android mobile operating software through the use of pop-up boxes online or on its apps, which imply that its services will not be available unless the conditions of use are accepted.
The CNIL noted in its ruling that details on how long a person’s data can be kept and what it is used for were spread over several different web pages. Modifying a user’s data preferences required clicking through a variety of pages such as “More Options”, and often the choices to accept Google’s terms were pre-checked by default.
It is not the first time the regulator had taken Google to task.
In 2014 it fined the company €150,000 — the maximum possible at the time — for failing to comply with privacy guidelines. And in 2016 it imposed a €100,000 penalty over non-compliance with the EU’s “right to be forgotten” rule which allows people to request having references to them removed from search results.