On January 21, 2019, the French Supervisory Authority for data protection (“CNIL”) issued a fine of €50 million against Google for violations of the General Data Protection Regulation (“GDPR”) (the decision was published in French here).  The CNIL’s decision was triggered by complaints from two non-profit organizations together representing 9974 individuals. The case raises a number of important privacy issues.

First, the decision dismisses the application of the GDPR’s one-stop-shop by holding that Google Ireland Limited is not Google’s main establishment in the EU (which would make the Irish Supervisory Authority the competent authority, instead of the CNIL).  According to the CNIL, Google has no main establishment in the EU because the decision making power over the processing of data relating to Android and Google accounts lies with Google’s headquarters in the US (Google LLC).  The CNIL based its conclusion, among other reasons, on the fact that Google’s privacy policy does not mention Google Ireland Limited as the controller and that Google Ireland Limited has not appointed a data protection officer to oversee Google’s processing operations in the EU.

In addition, the CNIL maintains that its conclusion is supported by Google, which stated publicly that it would take steps to bolster the decision making power of its Irish main establishment by January 2019.  The CNIL appears to have used the May 2018-January 2019 window to intervene and hand down its decision.  With no main establishment in the EU, Google LLC could potentially be subject to enforcement by any supervisory authority in the EU where Google has an establishment, including France.  The decision demonstrates a willingness by regulators to interpret the “main establishment” concept restrictively, which, for non-EU headquartered companies, could render the one-stop-shop redundant and expose them to enforcement by several authorities.

Second, the decision is vague on how the amount of the fine was calculated.  However, the fine is more than €20 million, which means that it is based on the GDPR’s 4% of worldwide turn-over threshold.  Given Google’s France’s “limited” turn-over, the fine is clearly based on the turn-over of Alphabet, the holding company.   This is interesting.  It is well known that the GDPR is unclear as to the basis on which the 4% should be calculated.  By using the turn-over of the holding company as a basis, the CNIL is setting the scene for a guaranteed protracted legal battle.  For the outcome, we invite readers to continue following this blog for the next three to five years.

In terms of the amount of the fine, the CNIL puts forward four points:

  • the nature of the infringement: according to the CNIL, Google has infringed two fundamental principles of data protection: the principle of transparency (i.e., the obligation to inform individuals about the processing of their personal data) and the principle of lawfulness (i.e., the obligation to link each data processing activity to one of the legal bases listed in Article 6 of the GDPR). According to the CNIL, these principles translate into fundamental rights for individuals to keep control over their personal data;
  • the duration of the infringement: the CNIL noted that Google’s ongoing infringement was not remedied, notwithstanding the CNIL’s position that the GDPR is violated;
  • the scope of the infringement: in calculating the fine, the CNIL took into account Google’s prominent position in the French market of operating systems, the number of individuals who use Google’s services, the amount and variety of personal data processed and the “unlimited” possibility Google has to match data (allowing for “massive and intrusive” processing of the users’ personal data).
  • the gain obtained from the infringement: the CNIL takes the position that, in light of the benefits Google derives from its data processing activities (in particular from its online advertising services), Google must pay particular attention that its processing activities comply with the GDPR.

On the substance, the CNIL’s decision focuses on two main aspects: (i) violation of Google’s transparency obligations under the GDPR (specifically under Articles 12 and 13) and (ii) the lack of a legal basis for processing personal data (a requirement under Article 6 GDPR).

Violation of Transparency Obligations

Under the GDPR, a controller must provide individuals information relating to the processing of their data in a “concise, transparent, intelligible and easily accessible form, using clear and plain language”.  According to the CNIL, individuals installing the Android software and signing up to a Google account are provided with “scattered” information spread over different policies and notices. The CNIL takes the position that this makes it hard for users to find some of the information required under the GDPR.

According to the CNIL, the information Google provides does not allow users to “sufficiently understand” the particular consequences of Google’s data processing activities, which the CNIL characterizes as “particularly massive and intrusive.”  According to the CNIL, the information Google provides about the purposes for processing is “imprecise and incomplete”, and at times contradictory.  While the CNIL recognizes Google’s efforts in the last years to make its processing activities more transparent (e.g., through privacy tools such as “Privacy Check-UP” and “Dashboard”), it notes that these mechanisms are only provided at a later stage, when the user has already consented to the processing.

Lack of a Legal Basis

The CNIL is of the opinion that the consent obtained by Google does not meet the requirements for consent under the GDPR.  Under the GDPR, consent must be “given by a clear affirmative act establishing a freely given, specific, informed and ambiguous indication” of the individual’s will.  According to the CNIL, Google did not provide individuals with sufficient, understandable and accessible information required to make an informed choice. In line with its earlier Vectaury decision, the CNIL also makes the point that Google does not ask for a specific consent for each of its processing activities, but rather allowed users, at a first instance, to either accept or refuse all processing activities. Only if users click on “more options” can they separately accept the individual purposes for processing data.  The CNIL also points out that the consent boxes are then pre-ticked by default which reads like an “opt-out” rather than “opt-in”.