France slaps Google with fine, remedial measure

Google gets hit with the largest fine ever levied by French privacy regulatory group CNIL, which tacked on a bit of humiliation for the company in the process.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
2 min read

France's privacy regulatory organization served up a fine and a dose of embarrassment to Google on Wednesday.

As expected, the national committee on information and liberty (CNIL) served up a 150,000 euros fine (approximately $200,000). The amount won't mean much to Google financially. But in addition to the fine, the group demanded that Google post a warning on its French home page, Google.fr.

The warning must state that the company's unified privacy policy from March 1, 2012 does not comply with French law.

CNIL justified its demand that Google post the warning because of "the extent of Google's data collection, as well as by the necessity to inform the persons concerned who are not in a capacity to exercise their rights."

CNIL's Sanctions Committee said that while it did not have a problem with Google's intent to streamline its privacy policies into one, it found that the new policy had violated several provisions of the French Data Protection Act.

Google was found at fault for not sufficiently protecting its customers' personal data in four instances:

  • The company does not sufficiently inform its users of the conditions in which their personal data are processed, nor of the purposes of this processing. They may therefore neither understand the purposes for which their data are collected, which are not specific as the law requires, nor the ambit of the data collected through the different services concerned. Consequently, they are not able to exercise their rights, in particular their right of access, objection or deletion.
  • The company does not comply with its obligation to obtain user consent prior to the storage of cookies on their terminals.
  • It fails to define retention periods applicable to the data which it processes.
  • Finally, it permits itself to combine all the data it collects about its users across all of its services without any legal basis.
  • CNIL's announcement also noted that data protection regulatory groups in Spain and the Netherlands came to similar conclusions in November and December of last year.

    Google took a noncommittal stance in its response to CNIL's demands. "We've engaged fully with the CNIL throughout this process to explain our privacy policy and how it allows us to create simpler, more effective services. We'll be reading their report closely to determine next steps," said a Google spokesperson.

    Update, 1:50 p.m. PT: adds Google statement.