Apple, Amazon, Netflix, Spotify, and YouTube also face scrutiny.

The French data regulator, CNIL, has sanctioned Google with a £44m GDPR fine for breaches of the European Union’s General Data Protection Regulation (GDPR).

Google’s fine, the largest issued since GDPR was made effective on 25 May 2018, follows complaints issued by data privacy rights groups noyb and La Quadrature du Net (LQDN) regarding Google’s legal basis for processing user data for personalised ads.

Reasons for the GDPR fine

CNIL cited two major reasons for non-compliance:

  • Failure to obtain a valid legal basis to process new European Android users’ data without the data subjects’ consent; and
  • A lack of transparency over data processing permissions relating to personalised ads, with essential information scattered amongst multiple documents.

Google was found to have contravened these requirements by checking the consent box by default, and for failing to clarify that the consent agreed to when a user creates a new account on their smartphone also relates to Google’s other services, including YouTube.

Ahead of GDPR, Google declared changes through its AdWords blog:

“To comply, we will be updating our EU consent policy when the GDPR takes effect and the revised policy will require that publishers take extra steps in obtaining consent from their users.”

However, this move was criticised for perceivably outsourcing compliance to publishers, and CNIL found Google’s measures insufficient in meeting their responsibility to protect European data subjects.

GDPR mandates that data consent must be clearly communicated to the data subject, with the responsibility falling primarily on the data controller.

Click here to find out more about protecting your clients’ data and avoiding a GDPR fine for your company.

What happens next?

Google has since responded to the sanctions, stating that it is “studying the decision to determine our next steps”.

Whilst minimal in comparison to Google’s 2018 £93.6bn turnover, CNIL’s judgement is a defining moment for global compliance, demonstrating that by pursuing a leading Silicon Valley organisation, the EU will enforce GDPR stringently.

And with decisions forthcoming regarding YouTube, Gmail, and Google Search’s personal data processing policies, scrutiny remains over Google’s compliance practices.


To ensure your business data and policies are easily accessible for both your staff and clients, speak to us about a Cloud-based ERP solution.