Google to challenge €50m French fine over EU’s new data laws

Fine relates to GDPR rules that came into force last May

Google has decided to challenge this week's €50 million penalty from French privacy regulators, who claim it has fallen short of the all-important disclosure and consent requirements of the EU's new online privacy regime.

The search company was fined on Monday in the first test of whether companies that rely on online advertising are living up to the new, tougher regulations. The GDPR rules came into force last May, but the legislation was vaguely worded when it came to the standards companies would have to adhere to, leaving it up to regulatory guidance and legal interpretation.

For once, Facebook was spared another blast of negative publicity over its handling of user data. The social networking company was named in the same complaint that targeted Google, brought by privacy activist Max Schrems, whose past successes include torpedoing the "safe harbour" regime under which transatlantic data flows once operated.

However, the CNIL, France’s data protection office, chose to target only Google for what will be an important test case. It criticised the process the company had set up to get consent from users to its targeted advertising, claiming this did not go far enough in alerting people to the extent of the data it collected and combined.


The search company argued on Wednesday that its consent process for personalised ads “is as transparent and straightforward as possible, based on regulatory guidance and user experience testing.”

Higher standards

It also warned that setting higher standards than the ones it had already adopted might have a knock-on effect across the ad-supported online economy. “We’re also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond,” it said.

The CNIL could also face a challenge to its right to bring the case, though Google refused to comment on the precise grounds for its appeal. Under GDPR, companies can select which country’s data protection regulator leads cases against them, which in Google’s case is Ireland, the legal base of its European operations. However, the CNIL has maintained that its case was developed before Google made that election. – Copyright The Financial Times Limited 2019