The CNIL of France has issued the largest GDPR fine to date, and the first on one of the world’s tech giants.

Background: On May 25 2018, when the GDPR came into force, two associations (None Of Your Business, ‘NOYB’, led by Austrian activist Max Schrems, and La Quadrature Du Net) filed collective complaints to the CNIL against Google. The claims disputed Google’s legal basis to process the personal data of the users of its services, in particular for the purpose of targeted advertising.

How did this end? The French data protection authority, the CNIL, found it was the competent authority to handle the claim; Google did not have a main European establishment at the time, hence the ‘one-stop-shop’ provisions would not apply. The CNIL’s investigation then found two problems: breach of transparency obligations, by not making essential information easily accessible; and failure to provide a legal basis for personalised advertising, which was not relying on “specific” and “unambiguous consent”. As a result, the CNIL ruled a fine of €50m, the maximum penalty provided for under GDPR.

What could happen now? The CNIL has warned that the infringement continues “to this day”, and noted that the Android OS plays a pivotal role in the French market. This means that the CNIL could take further action should Google not change its practices; the decision is also likely to set a precedent for other regulators. Google has not yet decided whether it will appeal the ruling.