On January 8, 2014, the French data protection authority, the Commission nationale de l’informatique et des libertés (CNIL), announced that it was imposing a fine of €150,000 on Google, as well as a requirement that Google, within eight days of the decision, publicize the fine on its own website (at www.google.fr) for a period of 48 hours. 

This announcement comes shortly after a fine of €900,000 was imposed on Google by the Spanish data protection authority, the Agencia Española de Protección de Datos (AEPD), in December 2013, and after a lengthy decision against Google was released by the Dutch data protection authority in November 2013 (although no fine has yet been imposed on Google in the Netherlands in respect of the current enforcement action).

These penalties – now totalling over €1 million – represent the culmination of a long investigation by the CNIL, and the Article 29 Working Party group of European regulators, into Google’s March 2012 Privacy Policy and privacy practices.  The investigation began shortly after Google first announced that it would introduce the Policy in January 2012, and relates primarily to concerns over Google’s right to combine customer data for various purposes, including the purpose of improving Google’s targeted and behavioral advertising.  Three further decisions, and potential penalties, are expected to be announced – although the timing is uncertain – by the UK Information Commissioner’s Office (ICO), the Italian data protection authority, the Garante, and the German State of Hamburg data protection authority.