The Council of State confirmed the decision of the data protection authority to fine Google €50m for its targeted advertising practices.

The largest GDPR fine to date: On 19 January 2019, the French data protection authority, the CNIL, fined Google €50m for a breach of the GDPR with regard to processing personal data for purposes of targeted advertising. The CNIL found a lack of transparency, in that Google was not making essential information easily accessible; and a failure to provide a legal basis for personalised advertising, which was not relying on ‘specific’ and ‘unambiguous consent’. To date, this is the highest fine for a breach of the GDPR, and the only one against a large tech company.

Google’s appeal is rejected in its entirety: On 19 June 2020, France’s supreme court, the Council of State, rejected the appeal brought by Google against the CNIL’s decision. The Council confirmed that Google did not deliver sufficiently clear and transparent information to the users of the Android OS. The way in which information was presented did not meet the requirements of clarity and accessibility, whereas the processing is ‘particularly intrusive’ due to the amount and type of data collected. Information is also sometimes incomplete, particularly with regard to data retention periods and the purposes of the various processing operations. The Council also agreed with the CNIL’s conclusions about the lack of specific consent, because information related to targeting advertising is not presented in a sufficiently clear and distinct manner. In addition, consent is collected by means of a pre-ticked box, which does not meet the requirements of the GDPR. For all these reasons, the Council confirmed the fine.

The CNIL was the competent authority: The Council also confirmed that the CNIL was the competent authority for the case, instead of the Irish one. At the date of the decision, the Irish subsidiary of Google had no control over the other European subsidiaries, nor any decision-making power over the data processing.