RGPD & Données personnelles

GDPR: Google receives an exemplary €50 million fine

RGPD & CNIL - Protection des données personnelles - Sanction Google

Isabelle Falque Pierrotin concludes her term at the CNIL (French Data Protection Authority) with a record fine: €50 million for breaches of GDPR obligations imposed on Google.

2021 Update: Since then, Google has again been fined for GDPR breaches and violations of personal data protection obligations. The CNIL’s restricted committee fined GOOGLE LLC and GOOGLE IRELAND LIMITED a total of €100 million, notably for placing advertising cookies on the computers of users of the google.fr search engine without prior consent or adequate information.

On May 25 and 28, the day after the GDPR came into effect in Europe, the CNIL received two class-action lawsuits filed by the NGO NOYB and La Quadrature du Net, representing more than ten thousand people. Particularly at issue are Google’s general terms of service, refusal of which would prevent the user from using an Android device, as well as the policy of behavioral analysis and advertising targeting.

Following an online audit conducted in September 2018, the CNIL (French Data Protection Authority) identified, based on its investigations, two major breaches of legal obligations: a lack of information and transparency.

GDPR: A vigorous defense from Google

After rejecting Google’s numerous arguments regarding territorial jurisdiction in favor of Ireland, the CNIL (French Data Protection Authority) deemed itself competent due to the lack of an identifiable main establishment in Europe. Similarly, Google attempted to have the case referred to the European Data Protection Board (EDPB), which has jurisdiction over the interpretation of data protection laws, but this was also rejected.

Despite Google’s prodigious efforts to prevent this case—arguing that complaints were inadmissible, citing alleged violations of due process due to linguistic issues, and distinguishing between the Android operating system and user accounts—the CNIL persisted in its analysis, ultimately finding several shortcomings, including a lack of information.

GDPR: a lack of information

Google is criticized in its preliminary information for a considerable lack of “accessibility, clarity, and comprehensibility” due to having “excessively scattered” this information across multiple documents. The “Privacy Policy and Terms of Service,” subdivided into “Terms of Service” and “Privacy Policy” accessible via links, contain buttons and other links “to activate in order to access additional information.” The CNIL (French Data Protection Authority) cites three significant examples concerning advertising, geolocation, and data retention.

GDPR: Lack of transparency and clarity

The CNIL (French Data Protection Authority) highlights the compilation of information from disparate sources – phone, Gmail, YouTube, Google Analytics, applications, address book, etc. – whose legal terms are too general to allow users “to understand the impact of the main processing activities on their privacy.”

Based on Article 6 of the GDPR, the CNIL infers from the lack of information and clarity that users are completely unable to give any specific consent, thus rendering the processing of personal data compliant.

CNIL oversight: An exemplary sanction

The €50 million fine and the publicity surrounding the decision are based on Google’s continued breaches, despite the CNIL’s formal notice, which it failed to voluntarily remedy, as well as the scale of its data processing. Google possesses “combining operations with virtually unlimited potential, enabling massive and intrusive processing of user data.”

Google remains eligible to appeal to the Council of State within four months. However, as this appeal does not suspend the fine, the company will have to pay this sum to the French Treasury.

Google anticipated this decision by amending its terms of service, notably by designating the Irish Data Protection Commission (DPC) as the lead authority. Meanwhile, other complaints alleging that targeted advertising on YouTube, Gmail, and Google Search violates users’ consent and remains under review.

The significance of this decision is measured against other complaints filed, notably against Facebook, Amazon, LinkedIn, etc., for which similar sanctions could also be imposed.

Read our articles on CNIL sanction decisions:

  • GDPR: Netflix, Spotify, YouTube, and other streaming platforms sued
  • Latest CNIL GDPR sanctions: “The fun is over.”
  • GDPR – CNIL sanctions and appeals

Écrit par :

Publié le : 22/01/2019
Mis à jour le : 17/11/2025

PX Chomiac de Sas

Sur le même sujet :

Toutes les ressources >
2025.12.03 Lencadrement des contenus de jeu video

E-SPORT & JEUX VIDÉO

2025.12.03 – Regulation of video game content : Schedule 1

 Enfants influenceurs - YouTuber, Twitcher, Streamer - Code et contrat de travail

Internet & NTIC

Child influencers: a legal framework to protect their work

 RGPD et CNIL - Ciblage publicitaire et contrôle - Données personnelles et publicité - PCS Avocat

RGPD & Données personnelles

GDPR: Targeted advertising and CNIL oversight

 Esport & Publicité - Diffusion de compétition de jeux vidéo & sponsors

E-SPORT & JEUX VIDÉO

Esports & Advertising – Broadcasting of video game competitions & sponsorships