By an order made on 7 February 2014, the Conseil d’État rejected application for a stay of a decision by the French information commissioner, CNIL, imposing a fine of €150,000 for a violation of privacy law on Google and ordering it to post a notice of the fine for 48 hours on its home page.
The Law of 6 January 1978 on data processing [pdf] provides that the CNIL may impose a monetary sanction against responsible for the automated processing of personal data that does not meet the obligations under that Act. The law allows the CNIL to publish the sanctions that it has imposed and to order their inclusion at the expense of sanctioned individuals, publications , newspapers or media it designates.
By a decision of 3 January 2014 (French) CNIL found that Google Inc. had committed a number of breaches of its obligations under the law on data processing. On 1 March 2012, Google decided to merge into one single policy the different privacy policies applicable to about sixty of its services, including Google Search, YouTube, Gmail, Picasa, Google Drive, Google Docs, Google Maps, etc. Nearly all Internet users in France are impacted by this decision due to the number of services concerned.
The “Article 29 Working Group” (of all EU Data Protection Authorities) concluded that it failed to comply with the EU legal framework and issued several recommendations, which Google Inc. did not comply with. As a result, six EU Authorities individually initiated enforcement proceedings against the company.
The CNIL’s Sanctions Committee considered that the conditions under which the policy was implemented was contrary to several legal requirements:
- The company does not sufficiently inform its users of the conditions in which their personal data are processed, nor of the purposes of this processing. They may therefore neither understand the purposes for which their data are collected, which are not specific as the law requires, nor the ambit of the data collected through the different services concerned. Consequently, they are not able to exercise their rights, in particular their right of access, objection or deletion.
- The company does not comply with its obligation to obtain user consent prior to the storage of cookies on their terminals.
- It fails to define retention periods applicable to the data which it processes.
- Finally, it permits itself to combine all the data it collects about its users across all of its services without any legal basis.
These conclusions are similar to those laid down by the Dutch and Spanish Data Protection Authorities in November and December 2013 on the basis of their respective national laws.
CNIL imposed a fine of €150,000 and to make its decision public on its website. It ordered Google to publish on http://www.google.fr for a period of 48 consecutive hours, the following statement
Release: the CNIL has ordered Google to pay a €150, 000 euro fine for breaches of the data protection law. The decision can be found at the following address. http://www.cnil.fr/ linstitution/missions/sanctionner/Google/“
Google launched an emergency appeal to the Conseil État, France’s highest administrative court. It claimed that the publication of the notice of the fine would cause irreparable harm to its reputation. This argument was rejected by the Judge who dismissed the application for suspension. The judge noted that Google had the opportunity to make clear that it disagreed with the decision and that, if its appeal succeeded, to inform Internet users. There was no evidence that there would be irreparable harm to Google’s reputation. The full order of the Conseil d’État can be read here (in French).