Gmail creates “Spam Emails”, despite CJEU judgment

24 August 2022
phone with two email notifications and two spam messages

Gmail creates “Spam Emails”, despite CJEU judgment

Today, noyb.eu filed a complaint against Google with the French Data Protection Authority (CNIL). The tech giant has repeatedly ignored the European Court of Justice (CJEU) ruling on direct marketing emails and used its email platform Gmail to send unsolicited advertising emails without valid consent of the users.

Ads disguised as emails. Google sends Gmail users unsolicited advertising emails directly to their inbox. These messages may look like normal emails, but are in fact ads to which users never consented to. When commercial emails are sent directly to users, they constitute as direct marketing emails and are regulated under the ePrivacy directive.

Google ignores CJEU judgment on inbox advertising. EU law already makes it quite clear: the use of email, for the purpose of direct marketing, requires user consent. The Court of Justice went further and confirmed that any advertising in a user’s inbox is subject to the rule of consent. The user must therefore always freely consent to receiving advertising directly in their inbox, which Google clearly ignores.

"The Court of Justice was pretty clear on the matter: if it looks like an email, smells like an email, then it is an email. It seems that Google ignores this and continues sending spam to their own users." - Eliška Andrš, legal trainee at noyb.eu

Two types of spam? While Gmail successfully filters most external spam messages in a separate spam folder, the unsolicited spam messages by Google are sent directly to the user’s inbox. This gives the impression that the user subscribed to these emails or services, when in reality, no consent was obtained from the user.

"It is quite simple. Spam is a commercial email sent without consent. And it is illegal. Spam does not become legal just because it is generated by the email provider."- Romain Robert, lawyer at noyb.eu

CNIL has a history of fining Google. Since this complaint is based on the ePrivacy Directive and not the GDPR, the French authority (CNIL) can directly decide and fine Google without the need to cooperate with other DPAs. The CNIL already fined Google 150 Mil Euro in December 2021 over their cookie violations and imposed a fine of 50 Mil Euro based on a noyb and a LQDN complaint, because of Google’s opaque and unclear privacy notice and lack of legal basis for personalized ads.