The French data protection authority looks to have beaten off a legal appeal by Google against its record €50m (£44m) fine for breaching GDPR, in what would be a significant victory against what many view as illegal adtech practices.
The case dates back to January last year, when CNIL (Commission Nationale de l’informatique et des Libertés) ruled that Google had failed to be transparent in its consent policies.
The regulator found that the tech giant made it too difficult for users to understand and manage preferences on how their personal information was being harvested, in particular with regards to targeted advertising.
The original investigation had been triggered by complaints from two European pressure groups, La Quadrature du Net and None Of Your Business (NOYB), which is led by the Austrian privacy campaigner Max Schrems.
Both groups accused Google, as well as a number of other large Internet companies including Facebook, of not having a valid legal basis to process the personal data of users of its services, “particularly for advertisement personalisation purposes”.
Now, it has been reported that in the Conseil d’État, a division of the French government that serves as the supreme court of administrative justice, the rapporteur appears to have indicated that the appeal will be dismissed.
The Conseil d’État is now drafting its decision, which should be published by the end of this month.
At the time the appeal was launched just weeks after the original ruling was published, a Google spokesman said: “We’ve worked hard to create a GDPR consent process for personalised ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing.
“We’re also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond. For all these reasons, we’ve now decided to appeal.”
If the appeal is dismissed, CNIL will be the first data protection regulator in Europe to have won a major GDPR case against a US tech giant.
The UK Information Commissioner’s Office was recently accused of “chickening out” of its own investigation into the adtech industry following its decision to put its inquiry on hold. At the time, it argued it did not want to put “undue pressure” on the sector during the Covid-19 pandemic.
Meanwhile, the Irish Data Protection Commissioner – the EU’s lead regulator – has yet to publish a single ruling against a US tech business.
At the last count, the regulator had 65 official investigations under way, with over two dozen statutory GDPR inquiries into multinational tech giants. More than half relate to Facebook and its WhatsApp and Instagram subsidiaries. It also has three probes into Apple, and one each into LinkedIn, Quantcast, Verizon and Tinder.
Its only decision so far has been against child and family agency Tusla, which was slapped with a €75,000 (£67,000) penalty for three cases where information about children was wrongly disclosed to unauthorised parties.
Rulings against WhatsApp and Twitter have been “imminent” for months.
Irish data regulator issues first GDPR ruling in two years
‘Chicken’ ICO kicks adtech investigation into long grass
Adtech smoke and mirrors mask woeful accountability
ICO faces legal challenge over failure to tackle adtech
2019 Review of the Year: Why it’s crunch time for GDPR
ICO issues first GDPR fine, but it’s not BA or Marriott
Google appeals €50m fine, insisting it followed guidance
Google ruling puts digital marketing industry on alert
Google hit for €50m as French issue first GDPR fine