8 Feb 2019
Google Fined Extraordinary Amount by French Authority for Breaching Data Protection Rules
On 21 January 2019, the French Data Protection Authority (Commission Nationale Informatique et Liberté – the CNIL) imposed a fine of EUR 50 million on Google for infringing General Data Protection Regulation 2016/679 (the EU’s GDPR). Google, as operator of the Android system, was found to infringe various requirements of the GDPR, including providing insufficient information to users and failing to obtain valid consent for the personal advertisements targeting users. France’s CNIL asserted its territorial jurisdiction over Google, arguing that Google could not benefit from the one-stop-shop principle under the GDPR.
The CNIL’s decision follows complaints that had been filed by consumer rights organisations None of Your Business (NOYB) and La Quadrature du Net (LQDN) on 25 and 28 May 2018, just after the GDPR became applicable throughout the EU.
Under the GDPR, enforcement of data protection law is left to the national supervisory authorities of the Member States. To avoid multinational organisations established in various EU Member States having to answer to various national supervisory authorities, Article 56 of the GDPR creates a “one-stop-shop”, whereby the supervisory authority of the main establishment acts as “lead supervisory authority” for cross-border processing.
Google has various establishments in Europe, including a French affiliate, Google France SARL. However, Google’s European headquarters are located in Ireland, where Google Ireland Limited is established. Google Ireland Limited is the contracting party for all European sales contracts and boasts a much larger workforce than its French affiliate. Google argued that the CNIL should transfer the case to the Irish Data Protection Commissioner which would act as lead supervisory authority.
However, the CNIL refuted Google’s arguments, holding that the European seat of an organisation does not necessarily equate to the “main establishment” determining the lead supervisory authority under Article 56 of the GDPR. Indeed, the CNIL considered that the Irish establishment did not have real decisional powers and therefore could not be regarded as the main establishment for the matter at hand. Moreover, it noted that Google Ireland Limited had not appointed and registered a data protection officer (DPO) with the Irish Data Protection Commissioner. In addition, Google had admitted during the proceedings that it was still in the process of transferring responsibility from its Global HQ to the Irish affiliate. On this basis, the CNIL concluded that Google could not assert a “main establishment” for the processing activities at hand, and as a result, the CNIL was competent to handle the complaints that it had received.
First, complaints by NOYB and LQDN stated that Google failed to provide the required information to users about the processing of their personal data.
Google adopted various initiatives in this regard, including a “dashboard” for users and a “privacy check-up” tool. However, the CNIL considers that these measures are insufficient. In particular, the CNIL found that the overall architecture did not allow for the providing of information as required under Articles 12 to 14 of the GDPR. It held that users would have to navigate various notices and click different hyperlinks before finding essential information. For instance, the CNIL noted that information about personalisation of advertisements and information on geo-localisation requires at least five steps before it can be found. Similarly, information on retention periods was found to be hiding behind a title which did not clearly label its content. Accordingly, the CNIL concluded that the information was not provided in a transparent and easily accessible manner as required by the GDPR.
The CNIL thereby considered that Google’s processing activities are particularly “massive and intrusive”, and are taken from a large number of sources, including mobile phone use, Gmail, YouTube, as well as other information society services and third-party websites using Google Analytics cookies. This information is deemed to provide very precise information about the most intimate aspects of a person’s private life, including their habits, taste, contacts, opinions as well as their movements. This led to the CNIL’s conclusion that the information provided about the purposes for which the data would be used, was often too general and insufficiently clear.
In addition, under the GDPR, any processing of personal data must be based on a “lawful basis” set out in Article 6 of the GDPR (or Article 9 for sensitive categories of data). The CNIL held that Google’s notices to users were not clear as to whether the processing for the purpose of personal advertisements targeting users would be based on consent (Article 6.1 (a) of the GDPR) or Google’s legitimate interests (Article 6.1 (f) of the GDPR). During the proceedings, Google clarified that its use of personal data for personal advertising was based solely on the user’s consent.
Among other matters, the CNIL held that there were shortcomings in terms of transparency, which also affect the validity of the consent that is obtained. It considered that users cannot have a clear idea about the nature and volume of the data that are collected about them. The CNIL furthermore held that the manner in which consent was collected failed to meet the requirements of specific and unambiguous consent. It assessed that when a user creates an account, it is requested to accept the privacy settings. To see these settings, the user must click through to see “more options”, where it will find that the various options, including personalised ads, are pre-ticked. Users who do not click through to “more options” and just accept the settings, will get a pop-up window alerting them that their account will be set to accept personalisation. The CNIL does not consider this to suffice for obtaining valid consent. It explains that, in order to be valid, consent must be obtained by means of an active step of the data subject, and that consent must be specific for each purpose. Here, the CNIL concluded that the consent for use of personal data for personalised advertisements, which was by default automatic and hidden behind a hyperlink, was unlawful.
The CNIL held that the facts at hand and the severity of the infringement justified a fine of EUR 50 million.