The French data protection authority, CNiL, has ordered Google to pay a €150,000 fine for breaches of French data protection law.
An EU Data Protection task force, made up of the data protection authorities from France, Germany, Italy, the Netherlands, Spain and the UK, investigated the policy’s compliance with European Data Protection Directive (95/46/CE) and published their recommendations in October 2012.
Google failed to implement any significant compliance measures and so enforcement actions were launched at a national level in April 2013.
The CNiL fine, the largest of its kind in France, follows just a month after a Spanish fine of €900,000, the maximum fine available under Spanish data protection law. Should the UK’s Information Commissioner follow suit, Google may face a further fine of up to £500,000 for breaches of the Data Protection Act 1998.
Google is expected to challenge each of the rulings (and has already lodged its appeal in France), but the size of each fine has highlighted the growing pressure for companies to ensure data protection compliance - whilst the fines might be small beer for Google, the data protection authorities have shown new levels of hostility towards breaches.
This level of seriousness will likely increase, because the EU data protection reforms, expected in 2015, will introduce new maximum penalties of €100m or 5% of annual global turnover (whichever is the greater).
Google found itself in further data protection trouble last week with the news that the UK courts had permitted an action from a group called “Safari Users Against Google's Secret Tracking”. The group claims that in bypassing Apple’s browser security settings, Google has misused private information, breached confidence and breached the 1998 Data Protection Act.
Google has already paid out $39.5m worth of fines in the US for the breach, which allowed it to track users’ web activity regardless of browser security settings.
For more information please contact Vanessa Barnett, Partner