France to Implement Sanctions Against Google for Privacy Violations

October 7, 2013

Google FranceThe French government is in the process of imposing legal sanctions against Google.  The sanctions are based on France’s determination that Google’s information privacy policies do not comply with the nation’s standards.

Privacy law in France is enforced by the Commission Nationale de L’informatique et des Libertes (CNIL).  After conducting an inquiry into Google information privacy policies, the CNIL had, in October 2012, ordered Google to modify its privacy policies.

Among the key CNIL concerns was the conclusion that Google’s information privacy policies were not presented clearly to consumers.  Additionally, the CNIL determined that the fact that Google incorporated diverse policies for its various services into a single policy statement made that statement vague and difficult to enforce.

The CNIL had ordered Google to make appropriate modifications to its privacy policy.  The authorities granted Google a period of several months to implement the changes and to make the privacy policy more transparent and effective for consumers.

The CNIL has now concluded that Google has not effectively responded to the requirements issued in 2012.  Accordingly, the CNIL has initiated the process for imposing sanctions against Google, based on the privacy violations.

French law is apparently somewhat unclear as to the maximum penalties that can be assessed for these privacy law violations.  A maximum fine of 150,000 Euros (approximately $198,000) can be assessed for a first offense.

The CNIL is reportedly considering whether or not the maximum fine for a first offense can be assessed on a per user basis.  If the CNIL assesses the fine for each individual French citizen who has used a Google service, then the total potential liability faced by the company is substantial.

The action by the French privacy authorities illustrates that it is not sufficient merely to implement a privacy policy.  The existence of a privacy policy does not ensure satisfactory compliance with legal and regulatory obligations.

Information privacy policies are assessed based on their content.  The policies must provide adequate protection for the information they govern.  Additionally, the policies must be presented in a clear manner so that consumers can readily understand their terms and implications.

Privacy policies should be reviewed and updated frequently to ensure that they remain accurate and useful for consumers.  Failure to maintain privacy policies that are reasonable, accurate, and transparent can result in substantial legal liability and significant harm to commercial reputation.