Blogs

Google was fined by French and Spanish Data Protection Authorities

By EDRi · January 15, 2014

On 19 December 2013, Google was fined by the AEPD – Spanish Data
Protection Authority (DPA) with 900 000 Euro for breaching the Spanish
data protection provisions.

Later on, on 3 January 2014, Google was given the maximum 150 000 Euro
fine by CNIL (the French Data Protection Authority) ‘s Sanctions
Committee for non-compliance with the French Data Protection Act.

Google’s privacy policy applied on 1 March 2012 to all its services
Google Search, YouTube, Gmail, Picasa, Google Drive, Google Docs, Google
Maps etc., has been under scrutiny ever since. Article 29 (the Working
Group of all EU Data Protection Authorities) decided to carry out an
assessment which concluded that the policy did not comply with the EU
legal framework. The group issued a series of recommendations, which
were not effectively applied by Google Inc. Therefore, six EU Data
Protection Authorities have individually initiated enforcement
proceedings against the company.

The AEPD explains that the combination of data collected through
different Google services widely exceeds the reasonable expectations of
the majority of users, who are not aware of it and lose control of their
own personal information.

AEPD also noted that Google hinders and, in some cases, prevents the
exercise of the rights of access, rectification, cancellation and
opposition. Google itself recognized that users must run at least seven
different processes, and reserves the right to not respond to requests
involving “a disproportionate effort”.

CNIL considers that the conditions under which Google’s policy is
implemented are contrary to several legal requirements because the
company does not provide its users sufficient information regarding the
conditions and purposes under which their personal data are processed
which puts them in the position of not being able to exercise their
rights, in particular their right of access, objection or deletion.

Moreover, Google does not obtain user consent prior to the storage of
cookies on their terminals, does not define the retention periods for
the data it processes and combines the data collected about its users
across all of its services, without any legal basis.

The 150 000 Euro fine is the highest amount ever given by CNIL and
actually the largest amount it can fine, which can be doubled in case of
a repeated offence. It comes with the obligation for Google to make
CNIL’s decision public on its French homepage for 48 hours, within 8
days from the notification of the decision.

Google hasn’t made the decision public in its website yet, as they
appealed the decision on 13 January 2014.

More fines could follow in the other four EU countries where the DPAs
are still investigating Google for similar claims.

The CNIL’s Sanctions Committee issues a 150 000 € monetary penalty to
GOOGLE Inc. (8.01.2014)
http://www.cnil.fr/english/news-and-events/news/article/the-cnils-sanctions-committee-issues-a-150-000-EUR-monetary-penalty-to-google-inc/

The AEPD sanctions Google for serious violation of the rights of the
citizens (19.12.2014)
http://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa/2013/notas_prensa/common/diciembre/131219_PR_AEPD_PRI_POL_GOOGLE.pdf

Spain privacy watchdog fines Google for breaking data law (19.12.2014)
http://www.reuters.com/article/2013/12/19/us-spain-google-privacy-idUSBRE9BI12Z20131219

Google Fined Maximum French Penalty for Privacy Violations (8.01.2014)
http://www.businessweek.com/news/2014-01-08/google-fined-maximum-french-penalty-for-privacy-violations

La CNIL condemns Google to a 150.000 euro fine (only in French,
9.01.2014)
http://www.lefigaro.fr/flash-eco/2014/01/08/97002-20140108FILWWW00523-amende-maximale-de-la-cnil-par-google.php

Google appeals the sanction (only in French, 15.01.2014)
http://www.lefigaro.fr/secteur/high-tech/2014/01/15/01007-20140115ARTFIG00340-google-conteste-la-sanction-de-la-cnil-devant-le-conseil-d-etat.php

EDRi-gram: Google In Breach Of The Dutch Data Protection Act (4.12.2013)
https://edri.org/google-in-breach-of-the-dutch-data-protection-act/