Today, January 8, 2014, CNIL announced it had fined Google €150,000 last week on January 3rd for violations of the French Data Protection Act.

What’s the French Data Protection Act?

In 1978, France enacted  loi n° 78-17, the French Data Protection Act.  This Act protects how personally identifiable information, like your name, address, contact information, and sensitive personal information, is processed. When a company wants to collect, process, or otherwise use personally identifiable information, it must first inform that person, limit how long it keeps the data, provide easy ways to view and delete that data, limit international transfer of that data, and give CNIL a detailed description of its business and how it will process personal data.

What is CNIL?

This Act created Commission nationale de l’informatique et des libertés (CNIL), which is an administrative regulatory agency that monitors companies to make sure they comply with the Act, and processes applications and reviews. CNIL also has the power to fine companies for violating the Act. As a part of CNIL’s constant monitoring, it noticed Google’s new Unified Privacy Policy violated parts of the Act.

What is Google’s Unified Privacy Policy?

Companies issue Privacy Policies, which are detailed descriptions of what kinds of personal data are collected from internet users when they use the company’s website. Google has many services (Search, Gmail, Maps, Youtube, etc.), and before March 2012 each service had its own privacy policy. However, on March 1st, 2012, Google unified these policies, and one single privacy policy controlled data processing across all of Google’s services.

How did the Unified Policy violate the Act?

CNIL claims that Google:

1. Did not inform users why data was being processed.
2. Started tracking data before getting users’ consent.
3. Did not say for how long data would be stored
4. Collects user data from many of its services, and combines them together.

1 & 4 are big problems, because Google combines user data from all of its services to more accurately target advertisements to its users, but it doesn’t make it clear that’s what they’re doing. For example, if you get a wedding invitation sent to your Gmail, you might start seeing ads for tuxedo rentals in your Google Maps. CNIL claims that such integrated data collection and usage violates the Act. Of course, Google disagrees, and continues to believe that its Unified Policy is 100% legal.

The Final Thought

The fine is significant because it’s the largest single fine CNIL has ever issued on a company before. Also, France isn’t alone in thinking the Unified Policy is a privacy nightmare; both the Dutch and Spanish Data Protection Authorities came to similar conclusions last year. The unfortunate reality is that €150,000 (around $204,000 USD) is a mere drop in the bucket for Google. To put it in perspective, based on Google’s public 2012 financial reports, Google makes around $20,428 net profit every minute; CNIL’s fine works out to just under 10 minutes worth of profit. It’s unlikely Google will see these fines as a significant deterrent for its continued unified, pervasive user data collection, especially when it’s so profitable.

Edited on January 9, 2014: added net profit per minute to provide perspective on the insignificance of the fine.