Personal Data: French Data Protection Authority Levies €50 Million Fine

On January 21, 2019, a select panel of the French data protection authority, CNIL, which has the power to impose sanctions, fined a major technological services provider €50 million following its failure to comply with the obligations provided for in the General Data Protection Regulation (GDPR). The provider did not adhere to transparency and information obligations, and it did not set up a legal database for processing personal data collected for advertising purposes.

Following the implementation of the GDPR on May 25, 2018, the CNIL received collective complaints concerning this particular Internet giant from Austrian nonprofit None of Your Business and French NGO La Quadrature du Net. They claimed that it did not have a valid legal database for processing the personal data of service users, in particular for the purpose of the personalization of advertisements.

In order to monitor the provider’s compliance with the GDPR and the Data Protection Act concerning personal data processing, the CNIL analyzed the user experience and the accessible information during the registration process when configuring mobile equipment.

The CNIL first noted a breach of transparency and information obligations. In particular, users did not have easy access to relevant information; it was spread over several documents that were accessible only in multi-stage processes. In addition, the information provided was not always clear and understandable. Users could not therefore understand the extent of the data processing operations carried out by the service. The intended purposes of the information were described in a manner that was too generic and vague.

Secondly, the CNIL found that the consent for the use of information was not valid for two main reasons. First, the consent given was not considered to have been sufficiently informed due to the spread of information across several documents, meaning the user was unable to read it in its entirety. Second, user consent had not been specifically and unambiguously obtained.

Consent is considered to be unambiguous when the user makes a positive action. In this instance, however, the user was required to click to access the settings, within which the section relating to the display of personalized ads was checked by default (therefore, no positive action was necessary). It was also not specific in that the user was obliged to accept all conditions for the use of personal information, despite the fact that the GDPR requires separate consent for each purpose.

By fining the company €50 million, the CNIL applied, for the first time, the new sanction limits provided for in the GDPR.

The company has appealed the CNIL’s decision to the Conseil d’Etat (Council of State).

Cécile Martin is the managing partner of the Paris office of Ogletree Deakins.