Kyiv, Mechnikova str., 14/1

0800 211 927

publications-entry

penalty-pic

Penalty for the Good Corporation: what will happen to Google and others for violating the GDPR

September 29

On January 21, the French National Data Protection Commission (CNIL) announced on its website that it had fined Google for violating the EU's General Data Protection Regulation (GDPR). It took six months for the EU countries to make a quality level-up in the amount of fines for non-compliance with this standard. Prior to that, the fine was mainly € 20,000-30,000, with the largest fine amounting to € 400,000 and related to a hospital in Portugal. But this precedent is interesting not so much the amount of the fine as the rigidity of the regulator's approaches. Denis Beregovyi, Axon Partners, explains why, especially for Mind.

For what? The group complaints against Google arrived at CNIL on the same day that the GDPR came into force. The complainants reported that Google processed users' personal data without due cause, in particular to create personalized advertising offers.

To the attention of Ukrainian security officers: the inspection was conducted online, without searches, without seizure of servers or other visible interference for business. And so it was possible.

According to the results of CNIL inspections revealed violations of two requirements of the GDPR:

  1. Transparency and awareness of users about the processing of personal data.
  2. Lack of proper user consent for the processing of personal data for the purpose of personalizing advertising.

In the case of personalization of advertising, Google was sure to obtain the consent of users, because, firstly, when creating Google accounts, the user agrees to the Privacy Policy, and secondly, Google has a section "Ads personalization", where you can disable this feature.

illustration

This is what the ad personalization settings window in your Google Account looks like

However, CNIL does not think so, because the information about the personalization of advertising is not clear enough to users. As an example, the Commission claims that the relevant "Personalization" window does not contain information on the full range of Google services that collect and process personal data for this purpose ((YouTube, Google search, Play Store, Google pictures, Gmail, etc.). ), and therefore, the user cannot realize to what extent the data is used and how exactly they can be combined.

So, let's walk through the text of the CNIL decision

Why France and not Ireland. Google operates in Europe through a legal entity in Ireland. But the case was not initiated by the Irish, but by the French regulator. This is why it happened.

If data processing decisions are taken anywhere outside the EU, there is a one-stop mechanism - where the complaint is received, the body considers it. Because Google's data processing center is located in the United States and the complaint was first received in France, CNIL considered it.

Publications

Recommended

equity-pic
Equity associate

April 22

I'm a jun on projects. I am a co-owner of a law firm. How it happened. Before entering my parents told me that if I…

penalty-pic
Penalty for the Good Corporation: what will happen to Google and others for violating the GDPR

September 29

And why the recovery of 50 million euros could be a fateful precedent According to Mind.ua January 21 National Commission for Data Protection.

millenial-pic
Millennial Testament

August 19

What and how modern vloggers, opinion leaders and crypto-millionaires will inherit A typical legacy of the Ukrainian generation X looks like this: an apartment in…