On January 21st 2019, the French Data Protection Authority (“CNIL”) fined Google LLC in a record 50 million euro fee for violating the General Data Protection Regulation (GDPR).
The legal basis for imposing the largest fee ever applied by CNIL is the fragility of the user’s consent on personalisation of publicity in the Android system.
CNIL sanctioned Google for imposing Android’s users 5 to 6 actions to access full information regarding its personal data for ad personalisation or geo-tracking (treatment purpose, duration, data category, among others).
CNIL also sanctioned google for having filled in advance the terms of acceptancy for publicity’s personalisation as well as the obligation imposed to the Data Subject to agree with such conditions in block with the general terms of condition and confidentiality, while the GDPR demands a “freely given, specific, informed and unambiguous” indication of consent for each purpose.
The GDPR’s legal basis used by CNIL is almost identical as the grounds incorporated by the Brazilian General Law of Data Protection (LGDP). Consequently, every company having business in Brazil should be compliant until February 2020.
Our Data Protection Law Team are at your disposal for helping you on the best practices on this subject.