CNIL Levies Record Fine Against Google Over Web Giant's Unified Privacy Policy

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Rick Mitchell  

Jan. 8 --The French data protection authority (CNIL) Jan. 8 announced a record 150,000 euro ($203,571) fine against Google Inc. after the company failed to heed its order to modify its servicewide privacy policy to comply with French law.

The financial penalty is the highest ever handed down by CNIL's enforcement committee, CNIL said in a statement.

“It is justified by the number and the seriousness of the breaches stated in the case,” CNIL said.

The DPA ordered Google to publish notice of the decision on the home page within eight days of receiving the enforcement ruling.

In a statement provided Jan. 8 to Bloomberg BNA, a Google spokesman said, “We've engaged fully with the CNIL throughout this process to explain our privacy policy and how it allows us to create simpler, more effective services. We'll be reading their report closely to determine next steps.”

CNIL previously fined Google 100,000 euros ($135,745) over its collection of unsecured wireless Internet connection data using Street View mapping project vehicles, in what at the time was its largest financial penalty assessed to date (10 PVLR 479, 3/28/11).

Unified Privacy Policy

In March 2012, Google began sharing--and tracking--user information across its e-mail, social networking, YouTube, search engine and other services, as part of a plan to integrate its 60 privacy policies into one policy (11 PVLR 426, 3/5/12).

Google moved ahead with the unified privacy policy despite a letter from the Article 29 Working Party, which is made up of data protection officials from the European Union member states, urging the company to not make the change.

In its ruling, which is dated Jan. 3, the enforcement committee said Google's unified privacy policy violates the country's 1978 framework Law on Information Technology and Liberties (78-17, updated in 2011).

CNIL previously ruled that Google's privacy policy move additionally violated EU data protection standards (12 PVLR 1721, 10/7/13).

Specific Violations

CNIL said the enforcement committee determined that “nearly all internet users in France were impacted by this decision due to the number of services concerned.”

The committee did not challenge “the legitimacy of the simplification objective” pursued by Google's privacy policy unification but it said the implementation of the policy violated the law in several ways.

The enforcement committee said that unified Google policy doesn't sufficiently inform its users of the conditions in which their personal data are processed, nor of the purposes of the processing.

Users “neither understand the purposes for which their data are collected, which are not specific as the law requires, nor the ambit of the data collected through the different services concerned, the committee said. “Consequently, they are not able to exercise their rights, in particular their right of access, objection or deletion.”

In addition, the committee found that Google:

• doesn't comply with its obligation to obtain user consent prior to the storage of cookies on their terminals;

• fails to define retention periods applicable to the data which it processes; and

• permits itself to combine all the data it collects about its users across all of its services without any legal basis.

Follows Spanish, Dutch Rulings

On Dec. 19, 2013, Spain's DPA levied a $1.2 million enforcement fine against Google over the unified policy (12 PVLR 2139, 12/23/13).

In November 2013, the Netherlands DPA ruled that Google was in violation of its data protection law but said it would not decide what specific enforcement action to take until after an as yet unscheduled hearing on the matter (12 PVLR 2057, 12/9/13).

The company also faces actions in Germany, Italy and the U.K., as part of a joint EU enforcement action on Google's privacy policy (12 PVLR 612, 4/8/13).


To contact the reporter on this story: Rick Mitchell in Paris at

To contact the editor responsible for this story: Donald G. Aplin at

The enforcement committee's decision (No. 2013-420 of Jan. 3, 2014) is available, in French, at

Request Bloomberg Law: Privacy & Data Security