GDPR – French Data Protection Authority Pronounced Its First Fine Under GDPR (And Biggest So Far)

January 22nd, 2019 | Posted by Claude-Etienne Armingaud in Case Law | France | Privacy

On January 21, 2019, the French Data Protection Authority (Commission Nationale de l’Information et des Libertés, or “CNIL”) published its first sanction rendered under the General Data Protection Regulation (“GDPR”).

Barely eight months after GDPR entered into force, and the subsequent group actions that were introduced in France, the CNIL followed in their footsteps its other European counterparts. However, while Portugal in July drew first against a hospital with a EUR 400,000 fines, the Austrian and German follow-ups, respectively for EUR 4,800 and 20,000 underwhelmed in contrast with the EUR 20 million, or 4% of the global turnover of a company (which ever the greatest) maximum fines allowed under GDPR.

Today’s CNIL decision nevertheless set the possible path for upcoming application of GDPR, by striking a EUR 50 million fine against Google LLC.

This sanction followed the group complaints formed by Maximilian Schrems’s association “None Of Your Business” (“NOYB” – already behind the cancellation of the Safe Harbor in 2015 and currently litigating against the Standard Contractual Clauses in Ireland) and La Quadrature du Net (“LQDN”), which received a mandate from 10,000 individuals to refer the matter to the CNIL.

The CNIL grounded its decision on the lack of transparency and inadequate information of the individuals in order to deem the consent regarding the ads personalization invalid.

On the one hand, the CNIL highlighted that the information of the data subjects was diluted in a myriad of documents while applying to a plurality of services at once (e.g. Google search, You Tube, Google Home, Google Maps, Playstore…). This did not allow the user to gain a “just perception of the nature and the volume of data collected.”

On the other hand, the consent-gathering mechanism was deemed inadequate to obtain the “specific” and “unambiguousconsent required for such data processing operations. The CNIL notably criticized the blanket acceptance of “the processing of [users’] information as described above and further explained in the Privacy Policy”, which, according to the Regulator, does not allow the users to opt-it to the each particular processing operation at stake without additional steps for the users to reach the required information.

This decision, in addition to be the first rendered by the CNIL under GDPR, will also in all likelihood be the last under the current Secretary General, Isabelle Falque-Pierrotin, who will be replaced on February 1st, after heading the CNIL since 2011.

To Go Further:

  1. 🇺🇸 PrivSec Global – Global Data Protection and Privacy Law Developments: What Lessons Have Enterprise Organisations Learned from the First Three Years of The GDPR GDPR fines have been increasing over the last 18 months, and it is proving to be a complex environment for...
  2. GDPR/Data Scraping – A Clear Limitation by the French Data Protection Authority to Direct Marketing Practices The French Supervisory Authority (CNIL) wrapped up 2020 with a EUR 20,000 fine against NESTOR, a French food preparation and...
  3. GDPR – New Consultations for GDPR Interpretation Initiated by French Data Protection Authority on the Concepts of ”Transparency” and ”International Data Transfers” In June 2017, the Article 29 Working Party – the gathering the all Member States’ Data Protection Authorities (DPAs) –...
  4. COVID-19: French Supervisory Authority Provides Guidance on Personal Data Processing by Employers Amidst Post-Lockdown Return to Work The current COVID-19 pandemic continues to raise many issues on employee privacy and how employers may balance processing their employees’...

, , , , , ,

You can follow any responses to this entry through the RSS 2.0 Responses are currently closed, but you can trackback.