Commission Nationale de l’Informatique et des Libertés (CNIL) today fined Google under the GDPR. French regulator CNIL says is fining Google due to lack of transparency, unsatisfactory information and lack of valid consent for the personalization of advertising.

CNIL says that on 25 and 28 May 2018, has received collective complaints from NOYB and from LQDN, the last one mandated by nearly 10,000 people. The complaints say that Google doesn’t have a valid legal basis for processing the personal data of users of its services, in particular for the purpose of personalizing advertising.

CNIL carried out an online inspection in September 2018. The objective was to verify the compliance of personal data processing carried out by GOOGLE with the GDPR, by analyzing a user’s journey and the documents to which they can have access by creating a Google account when configuring their mobile equipment under Android.

CNIL says the general information architecture chosen by Google does not allow it to comply with the obligations of the Regulation. Essential information, such as the purposes for which the data are processed, the length of time the data are kept or the categories of data used to personalize advertising are excessively scattered in several documents, which contain buttons and links that must be activated to access additional information. Relevant information is only accessible after several steps, sometimes involving up to five or six actions. This is the case, for example, if a user wants to have complete information on the collection of his information for the personalization of advertisements, or for his geolocation.