Icon: enlarge
Google: Not for the first time in the dispute with the CNIL
Photo: Dado Ruvic / REUTERS
In January 2019, the Commission Nationale de l'Informatique et des Libertés, or CNIL for short, attracted worldwide attention: France's data protection authority sentenced Google to a fine of 50 million euros.
The CNIL was the first European regulatory body to punish a global internet company with reference to the General Data Protection Regulation (GDPR).
At the same time, the 50 million was the highest GDPR fine to date.
The background to that punishment were allegations that revolved around setting up a Google account on an Android smartphone.
Now the next bang of the CNIL follows: On Thursday the authorities announced that they would pronounce further penalties against large tech companies, one of them in record highs.
Google and its subsidiary Google Ireland will be fined 100 million euros, the Amazon subsidiary Amazon Europe Core 35 million euros.
Internet companies can still defend themselves legally against these penalties.
In the dispute over their 50 million fine, however, the CNIL ultimately prevailed against Google.
The CNIL alleges that Google has "placed advertising cookies on the computers of users of the google.fr search engine without prior consent and without adequate information."
A total of three violations of Article 82 of the so-called French Data Protection Act have been found, the authority announced.
The users are not sufficiently informed
Google is essentially accused of a lack of transparency.
"When a user visited the google.fr page, an information banner with the note› Privacy reminder from Google ‹was displayed at the bottom of the page," is how the CNIL summarizes one of the violations: There were two buttons on it, analogous to "Remind me later «And» Get it now «.
However, this banner did not provide the user with any information about the use of cookies that were already placed on the user's computer when the website was accessed, criticizes the CNIL.
In the opinion of the CNIL, anyone who has decided to deal with the issue of privacy by clicking has not been adequately informed about these cookies.
The authority argued that the user lacked information on how to object to the use of cookies.
Since an update in September, the cookies are no longer set automatically when the French Google website is accessed, the CNIL announced in its announcement.
At the same time, she emphasizes that, in her opinion, the practice complained of represents a serious violation of the French Data Protection Act, which has affected around 50 million users in France.
So, but also with the fact that the advertising cookies indirectly help Google earn money, the authorities then also justify the amount of the fine they have chosen.
Almost in passing, the CNIL also criticizes a new info banner with which Google has replaced its old one: This banner does not sufficiently explain to users what the purpose of cookies is, according to the authority, and that they can object to their use.
Google and Google Ireland would now have three months to adjust the banner again, otherwise a further € 100,000 fine per day of delay would be due.
Amazon is also being washed away
The CNIL Amazon Europe Core has issued a similar ultimatum, because even at the Amazon subsidiary, an already revised information banner is not yet seen as a solution to the problem.
The CNIL had also criticized the shopping site for the fact that when Amazon.fr was accessed, “a large number of cookies that were used for advertising purposes” were automatically placed on the user's computer “before any action was required”.
The practice complained of is said to have ended Amazon Europe Core in September.
Icon: The mirror
mbö / Reuters