The top administrative court in France on Friday shot down Google’s appeal of a €50 million (U.S. $57 million) fine the tech giant received last year for violations of the EU’s General Data Protection Regulation (GDPR).
The Council of State (Conseil d’État) upheld the fine handed down by France’s data protection watchdog, Commission Nationale de l’Informatique et des Libertés (CNIL), in January 2019 regarding Google’s failure to provide users with transparent and understandable information on its data use policies. The fine was the first handed out by the CNIL under the GDPR, which took effect in May 2018.
In its original ruling, the CNIL said Google made it too difficult for users to find essential information, “such as the data-processing purposes, the data storage periods or the categories of personal data used for the ads personalization,” by splitting them across multiple documents, help pages, and settings screens. Because of the lack of clarity, users were effectively unable to exercise their right to opt out of data processing for personalization of ads, the CNIL determined.
The Council of State ruled that the $57 million fine was appropriate, “given the particular gravity of the breaches committed, their continuous nature and their duration, the ceilings provided by the GDPR as well as the financial situation of Google.” The penalty remains the largest to be finalized under the GDPR, as proposed fines against British Airways ($230 million) and Marriott ($124 million) in the United Kingdom continue to linger.
Further, the court confirmed it believed the CNIL was in the right to hand down the penalty despite Google being headquartered in Ireland. The GDPR is designed to enable the home countries of companies to take the lead on enforcement efforts, but in this case “the Irish subsidiary of Google had no power of control over the other European subsidiaries nor any decision-making power over the data processing” at the date of the sanction, the court ruled.
Such a precedent may work against Google in regard to a separate case in Sweden, where the tech giant was fined 75 million Swedish Kroner (U.S. $7.6 million) in March for non-compliance with the GDPR. Google similarly said it would appeal the penalty at the time it was announced.