Google’s First GDPR Appeal: What’s at Stake?

This post is authored by Matt Avellino, a second-year law student at Villanova University’s Charles Widger School of Law. Mr. Avellino is a legal-intern with the XPAN Law Group.

Google is gearing up to appeal a €50 million privacy violation resulting from the French data protection agency, CNIL. Although the fine is miniscule when compared to Google’s last reported annual revenue of $110.9 billion in 2017, the appeal will provide freshly minted regulatory and case law on what it means to have a transparent consent process.

By way of background, the GDPR grants the following rights to consumers: 1) the right to know when their data is being collected; 2) the purpose for processing; and 3) the legal basis for processing. Art. 13(1). Moreover, a manifestation of consent is only one of the six legal bases for lawful processing, and consent is required for the processing of data for one or more specific purposes. Art. 6(1). Lastly, consent is valid only if the consumer is properly informed. Art. 7(3).

With these rights in mind, Google has stated that:

“We’ve worked hard to create a GDPR consent process for personalized ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing.”


Setting the stage for Google’s appeal, this statement defends Google’s belief that users consented to the processing of their data for the purpose of ad personalization when they configured their Google account on Android, Google’s cellular device. However, consumers had a contrasting opinion on what Google considers to be “transparent and straightforward,” and the CNIL agrees. Following investigation of complaints filed from two digital rights associations, the CNIL “carried out online inspections” to verify Google’s GDPR compliance by “analysing the browsing pattern of a user and the documents he or she can have access, when creating a Google account during the configuration of a mobile equipment using Android.”

According to the CNIL, user consent was both uninformed and non-specific for the purpose of ad personalization. Particularly, the CNIL alleged user consent was “diluted” across several documents, where users failed to comprehend the full extent of Google’s processing operations. The configuration process also included a method where users had to consent “in block” for each of the many purposes within the user agreement. Nevertheless, the GDPR stipulates that consent is “specific” only if it correlates to an individual purpose. The lack of transparency comes at a time when reports have shown that over the span of one year, it would take an average Internet user 76 working days to read each digital privacy they’ve agreed to.

In classic Google fashion, it appears the company has capitalized on both the nature of online contracting, and the youth and vagueness of the GDPR. At the heart of the appeal is transparency; however, the appeal will likely expose the edges of a consent spectrum that ranges from theoretical to practical. In other words, the appeal should provide additional insight in gauging whether consent has been obtained as a legal basis for the processing of data. What will this mean for consumers? If Google wins, the GDPR’s shift to an opt-in model may afford less protection than originally thought. If Google loses, the GDPR will shed some much needed light on the dark labyrinths of online contracting. For better or worse, consumer consent is on the line.


Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.