Remember that 50 million euro fine that Google got slapped with in France for failing to comply with the General Data Protection Regulation last year?
Looks like Google is going to have to pay up.
On Friday, the Conseil d’État (translates to Council of State), a division of the French government that serves as the supreme court of administrative justice, sided with France’s data protection authority, the CNIL (Commission nationale de l’informatique et des libertés), which levied the fine against Google in January 2019.
(Fun fact: Napoleon Bonaparte founded the Conseil d’État in 1799.)
The CNIL’s sanctions focused mainly on two specific GDPR infringements: having a non-transparent consent gathering process that doesn’t give users enough info to make an informed decision and – the bigger issue – the lack of a legal basis for processing personal data for advertising purposes.
At the time, Google’s fine (which translates to just over $56 million) was the largest issued under GDPR. Today, that dubious honor goes to British Airways in the United Kingdom, which was fined more than 204 million euros (roughly $229 million) in July 2019 for a massive 2018 data breach.
Google immediately announced its intention to appeal the CNIL’s decision. In a January statement, Google defended its consent process for serving personalized ads and said it was “concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond.”
Google appealed on the grounds that the French DPA doesn’t have jurisdiction over Google’s European headquarters. Google claimed that the Irish data protection authority should be leading any cases or investigations into its practices.
But the argument apparently didn’t fly, and the Conseil d’État is expected to issue its final judgement next week.
The CNIL’s original ruling in January followed a series of complaints filed by two nonprofit groups, La Quadrature du Net and None Of Your Business, both of which accused Google of lacking a legal basis for processing the personal data of its users.
None Of Your Business is led by Max Schrems, the Austrian lawyer and privacy campaigner responsible for bringing the 2013 legal challenge against Facebook’s international data-sharing practices that ultimately overturned the Safe Harbor agreement.
