CNIL hands out 138 million euros in fines…
It’s hit the headlines recently that French CNIL (the equivalent to the ICO) have served financial penalties totally 138 million euros.
- 35 million of that was served to Amazon FR and 100 million served to Google LLC/IE.
- Both organisations have been fined on the basis that, they did not obtain consent from their users regarding the use of their advertising cookies.
- Furthermore, French Supermarket chain Carrefour received a 3 million euro fine for complaints made against the way they’ve been processing customers data.
What happened…
The CNIL have conducted several investigations, over the last 12 months, where they found that when a user visited the website, cookies for both Amazon and Google were set on a user’s device, without providing information about how their data would be used. In addition, neither did they provide the user with an option of opt out of accepting these cookies.
Google were also found to have issues with the deactivation of the personal advertising cookies, which still stored data and continued to read information aimed at the server. CNIL, also clarified that the Google breach of GDPR regulation affected almost 55 million users and it was noted that the significant profits of the companies deriving from the advertising income, indirectly generated from data collected by the advertising cookies, had an influence on the nature of the fine. Since September 2020 Google have stopped automatic placing of advertising cookies.
Amazon only recently redesigned their site in September 2020 which rectified this issue, whether this will support the case when this ultimately goes to appeal will be seen.
Techcrunch (click to read the article) reached out to Google for comment and Google released this statement:
‘People who use Google expect us to respect their privacy, whether they have a Google account or not. We stand by our record of providing upfront information and clear controls, strong internal data governance, secure infrastructure, and above all, helpful products. Today’s decision under French ePrivacy laws overlooks these efforts and doesn’t account for the fact that French rules and regulatory guidance are uncertain and constantly evolving. We will continue to engage with the CNIL as we make ongoing improvements to better understand its concerns.’
Both cases can be read here: Amazon FR / Google LLC/IE
The 3rd major fine in the last 14 days, sees Carrefour fined after receiving a series of complaints relating back to May 2019. Relating to two entities – Carrefour France (retail sector) and Carrefour Banque (banking sector). This particular incident was related to the processing of customer data, seeing a total fine of 3 million Euros. Read the case here.
These are significant cases with impactful fines and it’s a constant reminder of how important Data Governance is for modern day businesses.
At Station10 we have been working with clients to undertake Data Protection Impact Assessments (DPIAs), looking at overall compliance, processing, policies and procedures. An output from the review is being able to advise on the overarching data governance strategy and how it can be improved and enhanced.
Data Governance really is king and data ethics play an important role as well.
We’re enabling organisations to have accessible, readable and useful data; data that sits as an asset within a business but that’s managed and controlled in the right way to the benefit of the overall business ethics, objectives and goals.
To find out more about DPIAs and our wider Data Governance offering please contact Jan Piedrahita – Data Strategy Lead.