The French Data Protection Authority, or CNIL, fined Google LLC EUR 50 million for failing to adequately obtain user consent before gathering data for targeted advertising, as required by the EU’s GDPR. The case was brought before CNIL by privacy activist noyb, a nongovernmental organization seeking to enforce existing EU data protection legislation, and the French NGO La Quadrature du Net. The initial complaints, filed right after the GDPR went into effect, targets Google, Instagram, WhatsApp Messenger and Facebook, Inc.
The four complaints are very similar and allege that “forced consent” and “bundled consent” methods were used to bully users into signing their rights away in order to use Google’s and Facebook’s services: “The ‘core’ element of consent is probably the fact that it must be freely given, as clarified in Article 4(11) of the GDPR and further specified in Article 7(4) of the GDPR,” write the authors of the complaint against Android, Google’s iOS software. “Thus, this complaint focuses primarily on the act of consent, which, in the present case, we do not see as ‘free.’”
The complaints touch on several topics, including:
The controllers’ duty to be able to demonstrate that data subjects have consented to their data being processed.
The imbalance of power between a giant tech company and a data subject.
The need for separating the services contract from the data processing consent form.
The detrimental effects that may occur when data subjects withhold consent.