CNIL fines Google €150,000 for the failure of its privacy policy to comply with the law

The CNIL, France’s Data Protection Authority, issued a €150,000 monetary penalty on Google Inc. on 3 January saying that Google’s 2012 single privacy policy, applying to various Google services, does not comply with France’s Data Protection Act. The CNIL ordered the company to publish a communiqué on this decision on its homepage within eight days of its notification.

The CNIL’s decision follows the EU Data Protection Working Party’s assessment of the privacy policy which concluded that it failed to comply with the EU legal framework. In addition to France, Data Protection Authorities in the UK, Germany, Italy, the Netherlands and Spain started enforcement actions in 2013. Last December, Spain identified three serious violations of its data protection law and imposed a €300,000 euros fine on Google for each one of them.

The CNIL declared last summer that as Google processes data of users of Google services in France, it must comply with French law. It requested Google to:

1. Define specified and explicit purposes;
2. Inform users with regard to the purposes of the processing implemented;
3. Define retention periods for the personal data processed;
4. Not proceed, without legal basis, with the potentially unlimited combination of users’ data;
5. Fairly collect and process passive users’ data;
6. Inform users and then obtain their consent in particular before storing cookies in their terminal.

The CNIL now states, in connection with the monetary penalty:
‘The company does not sufficiently inform its users of the conditions in which their personal data are processed, nor of the purposes of this processing. They may therefore neither understand the purposes for which their data are collected, which are not specific as the law requires, nor the ambit of the data collected through the different services concerned. Consequently, they are not able to exercise their rights, in particular their right of access, objection or deletion.

The company does not comply with its obligation to obtain user consent prior to the storage of cookies on their terminals. It fails to define retention periods applicable to the data which it processes. Finally, it permits itself to combine all the data it collects about its users across all of its services without any legal basis.’

The €150,000 penalty is the highest that the CNIL has issued to date. Google has not yet publicly commented on the monetary penalty.