On 25 and 28 May 2018, the French data protection authority (National Data Protection Commission - CNIL), received group complaints from the associations None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”). LQDN was mandated by 10 000 people to refer the matter to the CNIL. In the two complaints, the associations reproach GOOGLE for not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalization purposes.
The French authority ruled that Google had broken the law and fined the Technology giant with a 50 million euro financial penalty. In it's decision CNIL noted that “the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.” That is, CNIL may impose further fines if Google does not address the problem.
CNIL was punishing Google for breaching the GDPR in France only: it is quite possible that the data protection authorities in other EU nations will now impose similar fines, which could, therefore, add up to considerably more than 50 million euros. The ruling is important for signaling that even the biggest non-EU companies must fully comply with the GDPR, or face significant and repeated fines.
Google has said that it will appeal.