The French national data protection agency CNIL has issued a €150,000 penalty on Google, saying that its privacy policy implemented since 1 March 2012 does not comply with the French Data Protection Act. 
The French national data protection agency CNIL has issued a €150,000 penalty on Google, saying that its privacy policy implemented since 1 March 2012 does not comply with the French Data Protection Act. It ordered the company to publish a communiqué on this decision on its homepage Google.fr, within eight days as of its notification. No such posting has yet appeared on the site.
On 1 March 2012, Google decided to merge into one single policy the different privacy policies applicable to about sixty of its services, including Google Search, YouTube, Gmail, Picasa, Google Drive, Google Docs, Google Maps, etc. Nearly all Internet users in France are impacted by this decision due to the number of services concerned, says CNIL.
A Working Group of all EU Data Protection Authorities then decided to carry out an assessment of this privacy policy. It concluded that it failed to comply with the EU legal framework and correspondingly issued several recommendations, which Google did not effectively follow-up upon. Consequently, six EU Authorities individually initiated enforcement proceedings against the company.
In this context, the CNIL's Sanctions Committee issued a monetary penalty of €150,000 against Google Inc. on 3 January 2014, upon considering that it did not comply with several provisions of the French Data Protection Act.
In its decision, the Sanctions Committee considers that the data processed by the company about the users of its services in France must be qualified as personal data. It also judged that French law applies to the processing of personal data relating to Internet users established in France, contrary to the company's claim. On the substance of the case, the Sanctions Committee did not challenge the legitimacy of the simplification objective pursued by the company’s merging of its privacy policies.
It considers that the conditions under which this single policy is implemented are contrary to several legal requirements:
- The company does not sufficiently inform its users of the conditions in which their personal data are processed, nor of the purposes of this processing. They may therefore neither understand the purposes for which their data are collected, which are not specific as the law requires, nor the ambit of the data collected through the different services concerned. Consequently, they are not able to exercise their rights, in particular their right of access, objection or deletion.
- The company does not comply with its obligation to obtain user consent prior to the storage of cookies on their terminals.
- It fails to define retention periods applicable to the data which it processes.
- Finally, it permits itself to combine all the data it collects about its users across all of its services without any legal basis.
These conclusions are similar to those laid down by the Dutch and Spanish Data Protection Authorities in November and December 2013 on the basis of their respective national laws.
This financial penalty is the highest which the Committee has issued until now. It is justified by the number and the seriousness of the breaches stated in the case, it says.