Case study: Google’s €50 million GDPR fine
What happened in a nutshell..
On January 21, 2019, the French Data Protection Authority (the “CNIL”) imposed a fine of €50 million on Google LLC under the EU General Data Protection Regulation (the “GDPR”) for, basically, lack of transparency and failure to obtain consent for ad targeting. The fine was the result of two collective complaints by activist None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”.)
The fine made headlines but was intermediately appealed by Google, with a request that questions be referred to the European Court of Justice for resolution. Google argued, among other things, that the CNIL was not the competent authority as, under the one-stop-shop the Irish DPA should have been the lead. The French Courts neither referred the case to the European Court of Justice, nor agreed with Google’s arguments.
So, it looks like activist won the day on this one and Google is going to have to pay…
Moral of the story: while in Europe, carefully disclose your practices, re-think pre-ticked boxes, and do not assume you get to pick and choose who is your “lead authority” by opening a main office in [NAME A EU COUNTRY] (it is more complicated than that…)
