If you stalk your users – be transparent about it

Earlier last year, the Restricted Committee of the Commission Nationale de l’Informatique et des Libertés (Restricted Committee) ordered a financial sanction of €50million against Google LLC (Google) for breaches of the General Data Protection Regulation (GDPR).

Google’s breaches of the GDPR

As a result of this, the Restricted Committee determined that the information provided to Google’s users did “not meet the objectives of accessibility, clarity and intelligibility” (at 87) partially due to the number of sets involved to be able to access the relevant information as to how their data would be used.

Under the GDPR, a company can only process a personal data if there is a legal basis for that data processing to occur. Google argued that it had user consent for personalised advertising as a result of data processing. The Restricted Committee concluded that Google did not have the specific, informed, and unambiguous consent from users and the consent on which Google based its personal advertising had not been validly obtained (at 166).

Sanction for breaches of the GDPR

Under Article 83 of the GDPR, the Restricted Committee can impose an administrative fine of €20million or up to 4% of the total worldwide annual turnover of the preceding financial year (whichever is higher). The Restricted Committee noted that Google’s worldwide annual turnover for 2017 was $US109.7billion (approximately €96billion).

Google argued that the fine of €50million was disproportionate to the alleged breaches and in excess of the penalty under Article 83 of the GDPR; however, the Restricted Committee found that the fine was proportionate given the serious nature of the breaches but did not elaborate on how it arrived at the figure of €50 million. It should be noted that the fine which was imposed was approximately 0.05% of Google’s total worldwide turnover for 2017.

Further, the Restricted Committee noted that the breaches were ongoing at the time of the hearing and due to Google’s prominent position within the Android market, the breaches of the GDPR meant that there were likely to be millions of users affected by the breaches.

Take away points

Companies that operate within the European Union (EU), or otherwise offer goods and services or monitor the behaviour of individuals within the EU, need to ensure that they do not breach the GDPR. Policies in relation to data collection and processing should be in “concise, transparent, intelligible and easily accessible form, using clear and plain language” (Article 12.1 of the GCPR).

For legal assistance concerning any cyber matters, please contact Robert Ishak or Meaghan Williamson.


Commission Nationale de l’Informatique et des Libertés [National Commission on Informatics and Liberty], Délibération n°SAN-2019-001 du 21 janvier 2019 [Deliberation of the Restricted Committee SAN-2019-001 of 21 January 2019]