Home > Legal Library > Article

Join Matindale-Hubbell Connected

Google Fined Maximum Amount Permitted By French Data Protection Authorities In Latest Round In The Battle Over Its Privacy Policy (More Fines To Follow?)

Jonny McDonald
Sarah Pearce
Edwards Wildman Palmer LLP - London Office

January 16, 2014

Previously published on January 14, 2014

Back in January 2012 Google announced that, as of 1 March 2012, it would replace the privacy policies applicable to each of its online services with a single overarching privacy policy covering all of its services. In February 2012, the European Union’s Article 29 Data Protection Working Party (the independent European advisory body comprising representatives from each of the EU data protection regulators) asked the French regulator (the CNIL) to take the lead on assessing whether Google’s new privacy policy breached EU data protection law (namely the Data Protection Directive: 95/46/EC).

The French authority reported back that the changes did breach the law and Google was asked to address certain listed shortcomings. In April 2013, it was announced that Google’s response was unsatisfactory and the national regulators of France, the UK, Germany, Italy, Spain and the Netherlands were forming a ‘taskforce’ to examine whether Google’s privacy policy complied with their respective national data protection legislation (i.e., the UK’s Data Protection Act) with a view to sanctioning Google, primarily by unilaterally imposing monetary penalties, where the privacy policy failed to comply.

On 3 January 2014, the French regulator became the second national regulator in the EU to formally fine Google for its privacy policy breaches, issuing a monetary penalty of €150,000 (US$ 205,000), the maximum penalty it could impose in the circumstances. This follows the Spanish authority’s fine of €900,000 (US$1.2 million), imposed last month as part of the same ‘taskforce’ examination. It is not yet clear whether the other national regulators will follow suit. In the UK Google has responded to the UK regulator’s (the Information Commissioner’s Office or ICO) complaints (Google was given a deadline of 22 September 2013 to do so). However, the ICO is yet to announce whether Google’s response is satisfactory. If it isn’t, a further monetary penalty may follow, with the ICO able to impose fines of up to £500,000 (US$ 800,000).

Whilst, cumulatively, these monetary penalties may be relatively substantial, it is of note that, given the size of Google’s annual turnover, they are miniscule compared to what an equivalent fine may be if the EU Parliament’s draft of the Data Protection Regulation (which allows penalties of up to the greater of 5% of annual global turnover or €100 million) becomes law.

In any event, given Google’s apparent determination to retain its privacy policy without significant alteration, combined with the fact that EU data protection authorities can take further enforcement action beyond fining a company (i.e. in the UK, the ICO can serve ‘enforcement notices’, non-compliance with which is a criminal offence), it is unlikely that we have seen the end of these legal proceedings.


The views expressed in this document are solely the views of the author and not Martindale-Hubbell. This document is intended for informational purposes only and is not legal advice or a substitute for consultation with a licensed legal professional in a particular case or circumstance.

View More Library Documents By...

Practice Area
Internet Law
Edwards Wildman Palmer LLP Overview