The Council of State on Friday rejected Google’s appeal against the sanction of 50 million euros which had been imposed on it in 2019 by the CNIL, for lack of information on the processing applied to the personal data of its users. The French gendarme of personal data had been seized separately, from the entry into force of the General Data Protection Regulation (RGPD), by two associations for the defense of the rights of Internet users, La Quadrature du Net (France), and None Of Your Business (NOYB). Sanctioned on January 21, 2019 for breaches regarding the processing of personal data of users of the Android mobile operating system, Google had decided to appeal.
” The Council of State confirms the assessment made by the CNIL ” and ” considers that the tree structure (of the information page on the processing of personal data) does not meet the requirements of clarity and accessibility required by the GDPR, even though the processing operations in question are particularly intrusive in terms of their number and the nature of the data collected ”, explains the Council of State in a press release. He criticizes Google in particular that the information on advertising targeting is ” diluted in the midst of information relating to other purposes “.
He also considers that the sanction of 50 million euros pronounced by the CNIL is not disproportionate ” given the particular gravity of the breaches committed, their continuous nature and their duration, the ceilings provided for by the GDPR (up to 4% of turnover) as well as the financial situation “ from Google. ” In light of this decision, we will now consider the changes we need to make ”, reacted Google in a statement sent to AFP.
The American giant now believes that it has found a way to combine complete and easy-to-understand information, while maintaining a strict consent policy.