Google allows unwanted advertising emails to pass through Gmail, thereby violating a ruling by the European Court of Justice. The Austrian interest group noyb.eu has now filed a data protection complaint.
Google is once again responsible for data protection. Because the Austrian interest group noyb.eu has submitted a data protection complaint to the French data protection authority (CNIL).
The reason is unwanted advertising emails that landed directly in the inbox of Gmail users.
According to noyb.eu, these messages look like regular emails, but are actually advertisements. The users would not have agreed to this.
When commercial emails are sent directly, they are considered direct marketing emails and fall under the ePrivacy Regulation.
ECJ judgment provides basis for the complaint
In its data protection complaint, noyb.eu refers to a CJEU ruling on inbox advertising from 2021. According to this, the use of e-mails for the purpose of direct advertising requires the consent of the users.
Users must expressly agree to this voluntarily. But Google “clearly” ignores this, according to the interest group noyb.eu.
“The Court was pretty clear on this matter: if it looks like an email, smells like an email, then it’s an email. It seems that Google is ignoring this and continues to send spam to its own users,” says noyb.eu legal trainee Eliška Andrš.
Good spam, bad spam
In particular, Noyb.eu accuses the Alphabet subsidiary of distinguishing between two types of spam. External spam messages are “successfully” transported to the spam folder by Google. However, spam messages from Google would end up directly in the inbox.
The group thus gives the impression that users have subscribed to these messages. “Although in reality there is no consent from the users.”
Spam is commercial email sent without consent. And it’s illegal. Spam is not legal because it is generated by an email provider.
It would not be the first CNIL penalty for Google
Among other things, Noyb.eu turned to the French data protection authority because they could decide directly and impose a fine. This is because the complaint is not based on the GDPR, but on the ePrivacy Directive.
The CNIL also did this in December 2021. At that time, Google was fined 150 million euros for cookie violations. The Alphabet subsidiary had to shell out another 50 million euros because of the lack of a legal basis for personalized advertising.