Twitter Logo Youtube Circle Icon LinkedIn Icon

The Legal 500 Hall of Fame Icon The Legal 500 Hall of Fame highlights individuals who have received constant praise by their clients for continued excellence. The Hall of Fame highlights, to clients, the law firm partners who are at the pinnacle of the profession. In Europe, Middle East and Africa, the criteria for entry is to have been recognised by The Legal 500 as one of the elite leading lawyers for seven consecutive years. These partners are highlighted below and throughout the editorial.
Click here for more details

Malta > Legal Developments > Law firm and leading lawyer rankings


Which GDPR Rules Led to Google Being Fined 50 Million Euros?

Google has just been fined 50 million euros by France’s data protection watchdog. Read our article to find out why.

On 21 January 2019, France's data protection watchdog, the National Data Protection Commission ('CNIL'), has imposed a record fine of fifty million (50,000,000) euros against Google LLC based on perceived infringements of the EU General Data Protection Regulation ('GDPR').

In brief, the fine was imposed on Google for the latter's lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.

Essential Information not Provided in a Lawful Manner

One of the main violations highlighted by France's CNIL was the fact that information provided by Google was not easily accessible (one of the requirements under the GDPR). The CNIL noted that certain essential information such as the purpose(s) of the processing of personal data, the data storage periods and even the categories of personal data used for ads personalization were disseminated across several documents requiring the user to click several buttons and links to be able to access this essential information.

The CNIL also observed that the information itself was not always clear or even comprehensive making it difficult or impossible for users to understand the content. This goes against the transparency principle enshrined in the GDPR which requires all essential information to be communicated in a concise, transparent, intelligible and easily accessible manner using clear and plain language.

Consent not Validly Obtained

Apart from lack of transparency, the CNIL also found that Google did not validly obtain the consent of its users to be able to process personal data for ads personalization purposes (despite the fact that Google itself had stated that it was relying on such consent as the legal basis for doing so).

Consent was deemed invalid on the basis of two main points:

1. Consent was not sufficiently 'informed', one of the essential requirements for valid consent together with it being 'unambiguous' (or in the case of special categories of personal data, explicit), 'freely given' and 'specific';


2. Consent was not 'specific' and 'unambiguous' (meaning that it was not clear what users were specifically consenting to).

Therefore, the ways in which users were presented with privacy-related information and the ways in which users were asked to manifest their consent were found to infringe the GDPR.

In imposing the record fine, the CNIL noted, inter alia, that this was not a 'one-off' by Google but rather, a continuous breach of the GDPR.

Maltese businesses should take note of this because the rules discussed above (mainly those enshrined in Articles 12, 13 and 14, GDPR) apply in a similar manner to them as well.

More information on this record fine can obtained by visiting the CNIL's website: 

Interview with...

Law firm partners and practice heads explain how their firms are adapting to clients' changing needs

International Law Firm Networks

International comparative guides

Giving the in-house community greater insight to the law and regulations in different jurisdictions.

Select Practice Area

GC Powerlist -

International Law Firm Networks