*Reassuringly dull cyber security e: info@normcyber.comt: +44 (0) 203 855 6215

Google loses appeal against €50m GDPR fine


Google loses appeal against €50m GDPR fine.

France’s Highest Administrative Court has upheld the decision of the French Data Protection Authority (the CNIL) to impose a €50 million fine on Google under the GDPR for its failure to:

  1. Provide privacy information in an easily accessible form, using clear and plain language, and
  2. Obtain users’ valid consent to process their personal data for ad personalisation purposes.

In particular, the CNIL found that essential information about the data processing (such as the purposes, the data retention periods or the types of personal data processed was spread across several pages, and that users sometimes needed to complete up to six actions to obtain that information. In addition, the CNIL said that the description of some information was too vague and did not allow users to understand the extent of the data processing carried out by Google.

The GDPR provides a list of criteria regulators are expected to use in the assessment of whether a fine should be imposed and the amount. In that respect, Google claimed that the CNIL’s decision did not state sufficient reasons because the CNIL did not comment on all of the criteria of Article 83(2) of the GDPR and did not explain how the amount of the fine was calculated. The Court found that the fine was not disproportionate given the:

  • Gravity of the alleged infringements
  • Fact that they were still occurring at the time of the CNIL’s decision
  • Length of time they persisted
  • Maximum limits for fines provided by the GDPR and
  • Google’s financial strength


As Google loses appeal, the decision illustrates how important it is for organisations to have a privacy policy (notice) that can be easily found and understood by its intended audience.  It also demonstrates that this is something taken very seriously be regulators and the willingness of those regulators to impose large fines against those who transgress the GDPR.

If your organisation is looking to comply with the requirements of the GDPR then take a look at how our CSaaS and DPaaS solutions can help.

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group