Google Fined by French Data Protection Agency for Lack of Transparency

France’s Data Protection Authority (Commission Nationale de l’Informatique et des Libertés), also known as CNIL, recently fined Google LLC a 50 million euro fine for violating restrictions under the General Data Protection Regulation (GDPR) laws.


The fine, which amounts to roughly 56.8 million U.S. dollars, is the largest GDPR fine to be issued by a European regulatory agency since the directive came into effect. It is also the first time one of the giants in the technology realm was fined for failing to comply with GDPR decrees.


After being investigated by the CNIL for months, Google was ultimately fined for providing inadequate information, lacking transparency and lacking valid consent in regards to personalizing ads to users. The ruling is a result of complaints lodged by two advocacy groups last May, shortly after GDPR was officially put into practice.


According to CNIL, Google failed to communicate its data consent policies to users in an open and transparent, resulting in an overall lack of control for users over how their information is used by the company. These violations, which have not yet been resolved by Google, must be altered to contain an explicit process that allows users to “opt in” and share their personal data. This way, users can decide whether or not they give Google their “genuine consent” to collect their information.


While this is not the first fine related to GDPR, it is the largest—though it could’ve been even more significant. In fact, the maximum fine under GDPR law allows for a fine of up to four percent of a company’s annual global turnover. For Google, which made close to 34 billion U.S. dollars last quarter, the maximum fine could have been closer to billions of dollars if the offense was considered more serious.


In response to CNIL’s penalization, a Google representative said they are “deeply committed [to complying with] high standards of transparency and control” that its users expect.


After studying CNIL’s report, however, Google announced on Jan. 20 that the company will appeal the fine. In an article by Agence France-Presse (AFP), Google claimed they have “worked hard to create a GDPR consent process…that is as transparent and straightforward as possible,” and are therefore “concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond.”


For cyber security experts and web users alike, this violation represents the need for greater social responsibility from tech companies, especially pertaining to the protection of personal information.


Being clear and upfront about user data is an essential component of reliable business practices, and Google should focus on rectifying the issues raised by CNIL instead of deferring the fine.


At this time, CNIL does not believe Google is respecting GDPR’s regulations. Google has also been accused of “deceptive practices” in its location tracking by seven different European countries.




  • Are Your Organization’s Credentials Under Threat?

  • 10 Security and Privacy Policies Every Organization Should Have

  • The Key to Preventing Unauthorized Access: Account Management

5100 Darrow Road, Suite B

Hudson, OH 44236

877-390-3950 Office