On January 21, 2019, the French Supervisory Authority for data protection (“CNIL”) issued a fine of €50 million against Google for violations of the General Data Protection Regulation (“GDPR”) (the decision was published in French here).  The CNIL’s decision was triggered by complaints from two non-profit organizations together representing 9974 individuals. The case raises a number of important privacy issues.

First, the decision dismisses the application of the GDPR’s one-stop-shop by holding that Google Ireland Limited is not Google’s main establishment in the EU (which would make the Irish Supervisory Authority the competent authority, instead of the CNIL).  According to the CNIL, Google has no main establishment in the EU because the decision making power over the processing of data relating to Android and Google accounts lies with Google’s headquarters in the US (Google LLC).  The CNIL based its conclusion, among other reasons, on the fact that Google’s privacy policy does not mention Google Ireland Limited as the controller and that Google Ireland Limited has not appointed a data protection officer to oversee Google’s processing operations in the EU.

In addition, the CNIL maintains that its conclusion is supported by Google, which stated publicly that it would take steps to bolster the decision making power of its Irish main establishment by January 2019.  The CNIL appears to have used the May 2018-January 2019 window to intervene and hand down its decision.  With no main establishment in the EU, Google LLC could potentially be subject to enforcement by any supervisory authority in the EU where Google has an establishment, including France.  The decision demonstrates a willingness by regulators to interpret the “main establishment” concept restrictively, which, for non-EU headquartered companies, could render the one-stop-shop redundant and expose them to enforcement by several authorities.

Second, the decision is vague on how the amount of the fine was calculated.  However, the fine is more than €20 million, which means that it is based on the GDPR’s 4% of worldwide turn-over threshold.  Given Google’s France’s “limited” turn-over, the fine is clearly based on the turn-over of Alphabet, the holding company.   This is interesting.  It is well known that the GDPR is unclear as to the basis on which the 4% should be calculated.  By using the turn-over of the holding company as a basis, the CNIL is setting the scene for a guaranteed protracted legal battle.  For the outcome, we invite readers to continue following this blog for the next three to five years.

In terms of the amount of the fine, the CNIL puts forward four points:

  • the nature of the infringement: according to the CNIL, Google has infringed two fundamental principles of data protection: the principle of transparency (i.e., the obligation to inform individuals about the processing of their personal data) and the principle of lawfulness (i.e., the obligation to link each data processing activity to one of the legal bases listed in Article 6 of the GDPR). According to the CNIL, these principles translate into fundamental rights for individuals to keep control over their personal data;
  • the duration of the infringement: the CNIL noted that Google’s ongoing infringement was not remedied, notwithstanding the CNIL’s position that the GDPR is violated;
  • the scope of the infringement: in calculating the fine, the CNIL took into account Google’s prominent position in the French market of operating systems, the number of individuals who use Google’s services, the amount and variety of personal data processed and the “unlimited” possibility Google has to match data (allowing for “massive and intrusive” processing of the users’ personal data).
  • the gain obtained from the infringement: the CNIL takes the position that, in light of the benefits Google derives from its data processing activities (in particular from its online advertising services), Google must pay particular attention that its processing activities comply with the GDPR.

On the substance, the CNIL’s decision focuses on two main aspects: (i) violation of Google’s transparency obligations under the GDPR (specifically under Articles 12 and 13) and (ii) the lack of a legal basis for processing personal data (a requirement under Article 6 GDPR).

Violation of Transparency Obligations

Under the GDPR, a controller must provide individuals information relating to the processing of their data in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”.  According to the CNIL, individuals installing the Android software and signing up to a Google account are provided with “scattered” information spread over different policies and notices. The CNIL takes the position that this makes it hard for users to find some of the information required under the GDPR.

According to the CNIL, the information Google provides does not allow users to “sufficiently understand” the particular consequences of Google’s data processing activities, which the CNIL characterizes as “particularly massive and intrusive.”  According to the CNIL, the information Google provides about the purposes for processing is “imprecise and incomplete”, and at times contradictory.  While the CNIL recognizes Google’s efforts in the last years to make its processing activities more transparent (e.g., through privacy tools such as “Privacy Check-UP” and “Dashboard”), it notes that these mechanisms are only provided at a later stage, when the user has already consented to the processing.

Lack of a Legal Basis

The CNIL is of the opinion that the consent obtained by Google does not meet the requirements for consent under the GDPR.  Under the GDPR, consent must be “given by a clear affirmative act establishing a freely given, specific, informed and ambiguous indication” of the individual’s will.  According to the CNIL, Google did not provide individuals with sufficient, understandable and accessible information required to make an informed choice. In line with its earlier Vectaury decision, the CNIL also makes the point that Google does not ask for a specific consent for each of its processing activities, but rather allowed users, at a first instance, to either accept or refuse all processing activities. Only if users click on “more options” can they separately accept the individual purposes for processing data.  The CNIL also points out that the consent boxes are then pre-ticked by default which reads like an “opt-out” rather than “opt-in”.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of…

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.

Photo of Jetty Tielemans Jetty Tielemans

Henriette (“Jetty”) Tielemans is co-chair of the firm’s Data Privacy and Cybersecurity Practice Group and a member of the European Advisory Board of the International Association of Privacy Professionals (IAPP).  Ms. Tielemans was selected by the European Commission in Brussels to join the…

Henriette (“Jetty”) Tielemans is co-chair of the firm’s Data Privacy and Cybersecurity Practice Group and a member of the European Advisory Board of the International Association of Privacy Professionals (IAPP).  Ms. Tielemans was selected by the European Commission in Brussels to join the five member team of the Commission’s expert group on privacy (GEXPD group).  She advises multinationals on all aspects of data privacy and data security at the EU and Member State level, and has assisted several companies with their compliance and international data transfer issues.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Brussels office, where he is a member of the Data Privacy and Cybersecurity practice group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws…

Nicholas Shepherd is an associate in Covington’s Brussels office, where he is a member of the Data Privacy and Cybersecurity practice group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide.  Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements related to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer registered on the B-List of the Brussels Bar, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.