We would like to place strictly necessary cookies and performance cookies on your computer to improve our website service.
To find out more about how we use cookies and how you can change your cookies settings, please read our  cookies statement.                
Otherwise, we'll assume you are OK to continue.   Please close this message

Google fined again for inadequate privacy policy

The French data protection authority, CNiL, has ordered Google to pay a €150,000 fine for breaches of French data protection law.

The sanction follows Google's failure to comply with CNiL's deadline to bring its privacy policy, which now applies to over 60 Google services, into line with French data protection law.

Google introduced its privacy policy in March 2012, enabling it to aggregate users' personal data from across all their accounts and services including: Gmail, search, YouTube, photo sharing, map and location data.

An EU Data Protection task force, made up of the data protection authorities from France, Germany, Italy, the Netherlands, Spain and the UK, investigated the policy’s compliance with European Data Protection Directive (95/46/CE) and published their recommendations in October 2012.

Google failed to implement any significant compliance measures and so enforcement actions were launched at a national level in April 2013.

The CNiL fine, the largest of its kind in France, follows just a month after a Spanish fine of €900,000, the maximum fine available under Spanish data protection law. Should the UK’s Information Commissioner follow suit, Google may face a further fine of up to £500,000 for breaches of the Data Protection Act 1998.

Google is expected to challenge each of the rulings (and has already lodged its appeal in France), but the size of each fine has highlighted the growing pressure for companies to ensure data protection compliance - whilst the fines might be small beer for Google, the data protection authorities have shown new levels of hostility towards breaches. 

This level of seriousness will likely increase, because the EU data protection reforms, expected in 2015, will introduce new maximum penalties of €100m or 5% of annual global turnover (whichever is the greater). 

Google found itself in further data protection trouble last week with the news that the UK courts had permitted an action from a group called “Safari Users Against Google's Secret Tracking”. The group claims that in bypassing Apple’s browser security settings, Google has misused private information, breached confidence and breached the 1998 Data Protection Act.

Google has already paid out $39.5m worth of fines in the US for the breach, which allowed it to track users’ web activity regardless of browser security settings.

For more information please contact Vanessa Barnett, Partner

T: +44 (0)20 7203 5228