French CNIL Fines Google €50m for Violation of GDPR’s Transparency and Consent Requirements
The administrative proceedings against Google were initiated through a collective claim filed with the CNIL on May 25 and 28, 2018 by two privacy rights organizations, NOYB (“None Of Your Business”, founded by Max Schrems) and LQDN (“La Quadrature du Net”). The CNIL noted that LQDN in particular was mandated by more than 10,000 individuals to bring a complaint on their behalf. The NOYB and LQDN complaints urged the CNIL to investigate Google’s data processing activities related to Android users who create a Google account (a prerequisite to use Google apps and services). The CNIL investigated the complaints and decided to commence administrative proceedings. The €50m fine comes only approximately 8 months after the claims were filed.
Google submitted an extensive procedural defense disputing the CNIL’s competence to take action. Google argued that the data processing underlying the CNIL’s decision, which covers a large number of Android users across Europe, contains a cross-border element and as such triggers the GDPR’s cooperation and “one-stop-shop” procedure. The one-stop-shop principle is a preferential regime under the GDPR and submits organizations that are able to demonstrate centralized decision-making power to the enforcement powers of only one Supervisory Authority (the “lead Supervisory Authority”). According to Google, only the Irish Data Protection Commission, which is the authority overseeing Google’s European headquarters in Ireland, could claim competence as lead Supervisory Authority as Google Ireland Limited is the main entity from a financial and commercial perspective (acting as counterparty in most commercial contracts with European clients) as well as the central Google entity in terms of resources and man-power (with over 3,600 employees). The CNIL, however, considered that these elements were insufficient to establish that Google Ireland Limited, at the time of the initiation of the investigation, had decision-making power with respect to the processing activities related to Android users. In particular, the CNIL pointed to the fact that Google Ireland Limited was not mentioned in the privacy notice as the decision-making entity for processing activities related to Android users, and that it did not develop the Android operating system (Google LLC did). Lastly, the CNIL noted that Google itself confirmed that it was in the process of “transferring responsibility” from Google LLC to Google Ireland Limited for the processing operations covered, and that this process would only be finalized by January 31, 2019. As such, the CNIL considered there to be no main establishment for purposes of the “one-stop-shop” regime, and asserted competence over the matter on the basis of sufficient territorial ties with France.
Secondly, the CNIL found that Google’s information notices were too generic, and in particular too generic in light of what they deemed to be the “intrusiveness” of the data processing activity at hand (profiling to deliver targeted advertising). Google’s use of generic language was considered insufficient to fulfil the GDPR transparency requirement, which in essence should allow the user to clearly establish the scope of processing activities that involve his personal data.
The CNIL also used their finding that there was a lack of transparency to consider Google’s legal basis for processing, user consent, to be illegitimate. The CNIL found that without sufficient information, the user is not able to take an informed decision as to whether or not to consent, rendering any given consent void. Moreover, the CNIL highlighted that Google’s use of pre-ticked boxes as a consent mechanism could lead a user to consent to Google’s targeted ad processing by default, which is in contradiction to the GDPR requirement that consent be “unambiguous” and expressed “by means of a clear affirmative action.”
Given the particular nature of the processing involved and the specific position of the Android operating system on the French market (impacting millions of users), the CNIL’s large penalty may not come as a significant surprise to many watching the evolution of data protection enforcement in the EU. However, the CNIL’s critical findings with regard to information notices and consent mechanisms—emphasizing a need for notice and consents that are user-friendly, comprehensive and exhaustive at the same time—highlights a cumbersome, if not herculean, design challenge. This is especially true for organizations like Google which offer a wide set of applications and services driven by different processing operations and purposes and a variety of users. The CNIL’s decision is now open for appeal before the French Council of State (“Conseil d’Etat”) for a period of 4 months, and Google has already publicly stated that it will appeal the decision.