French CNIL Fines Google €50m for Violation of GDPR’s Transparency and Consent Requirements

On January 21, 2019, the French Supervisory Authority (the “Commission Nationale de l’Informatique et des Libertés” or “CNIL”) issued Google’s U.S. headquarters (“Google”) with a fine of €50m for failure to comply with the EU General Data Protection Regulation’s (“GDPR”) fundamental principles of transparency and legitimacy. The CNIL found that the general structure of Google’s privacy policy and terms & conditions was too complex for the average user and that Google, by using pre-ticked boxes as a consent mechanism, failed to establish a legal basis for data processing to deliver targeted advertising. This is the first regulatory fine the CNIL issued on the basis of the GDPR’s penalty authorities, and it marks a strong enforcement signal to organizations subject to the CNIL’s jurisdiction moving forward.

The administrative proceedings against Google were initiated through a collective claim filed with the CNIL on May 25 and 28, 2018 by two privacy rights organizations, NOYB (“None Of Your Business”, founded by Max Schrems) and LQDN (“La Quadrature du Net”).  The CNIL noted that LQDN in particular was mandated by more than 10,000 individuals to bring a complaint on their behalf.  The NOYB and LQDN complaints urged the CNIL to investigate Google’s data processing activities related to Android users who create a Google account (a prerequisite to use Google apps and services). The CNIL investigated the complaints and decided to commence administrative proceedings.  The €50m fine comes only approximately 8 months after the claims were filed.

Google submitted an extensive procedural defense disputing the CNIL’s competence to take action. Google argued that the data processing underlying the CNIL’s decision, which covers a large number of Android users across Europe, contains a cross-border element and as such triggers the GDPR’s cooperation and “one-stop-shop” procedure. The one-stop-shop principle is a preferential regime under the GDPR and submits organizations that are able to demonstrate centralized decision-making power to the enforcement powers of only one Supervisory Authority (the “lead Supervisory Authority”). According to Google, only the Irish Data Protection Commission, which is the authority overseeing Google’s European headquarters in Ireland, could claim competence as lead Supervisory Authority as Google Ireland Limited is the main entity from a financial and commercial perspective (acting as counterparty in most commercial contracts with European clients) as well as the central Google entity in terms of resources and man-power (with over 3,600 employees).  The CNIL, however, considered that these elements were insufficient to establish that Google Ireland Limited, at the time of the initiation of the investigation, had decision-making power with respect to the processing activities related to Android users.  In particular, the CNIL pointed to the fact that Google Ireland Limited was not mentioned in the privacy notice as the decision-making entity for processing activities related to Android users, and that it did not develop the Android operating system (Google LLC did). Lastly, the CNIL noted that Google itself confirmed that it was in the process of “transferring responsibility” from Google LLC to Google Ireland Limited for the processing operations covered, and that this process would only be finalized by January 31, 2019. As such, the CNIL considered there to be no main establishment for purposes of the “one-stop-shop” regime, and asserted competence over the matter on the basis of sufficient territorial ties with France.

From a substantive perspective, the CNIL found that the information Google provides to its users on its data processing activities is not easily accessible, sufficiently clear and intelligible. In practice, Google’s data processing activities are explained in different sets of documents (its privacy policy and general terms and conditions), and certain additional information is only available after having created a Google account or after the user has clicked on specific links in the documents (e.g., “to find out more, click here”). The CNIL assessed that, in the case of targeted ad processing, five different user actions were required in order to access the full set of information that applies to the processing of the user’s data. This approach was considered to lead to a fragmentation of valuable and extensive sets of information which were, according to the CNIL, already difficult for an average user to process.

Secondly, the CNIL found that Google’s information notices were too generic, and in particular too generic in light of what they deemed to be the “intrusiveness” of the data processing activity at hand (profiling to deliver targeted advertising). Google’s use of generic language was considered insufficient to fulfil the GDPR transparency requirement, which in essence should allow the user to clearly establish the scope of processing activities that involve his personal data.

The CNIL also used their finding that there was a lack of transparency to consider Google’s legal basis for processing, user consent, to be illegitimate. The CNIL found that without sufficient information, the user is not able to take an informed decision as to whether or not to consent, rendering any given consent void. Moreover, the CNIL highlighted that Google’s use of pre-ticked boxes as a consent mechanism could lead a user to consent to Google’s targeted ad processing by default, which is in contradiction to the GDPR requirement that consent be “unambiguous” and expressed “by means of a clear affirmative action.”

Given the particular nature of the processing involved and the specific position of the Android operating system on the French market (impacting millions of users), the CNIL’s large penalty may not come as a significant surprise to many watching the evolution of data protection enforcement in the EU.  However, the CNIL’s critical findings with regard to information notices and consent mechanisms—emphasizing a need for notice and consents that are user-friendly, comprehensive and exhaustive at the same time—highlights a cumbersome, if not herculean, design challenge. This is especially true for organizations like Google which offer a wide set of applications and services driven by different processing operations and purposes and a variety of users. The CNIL’s decision is now open for appeal before the French Council of State (“Conseil d’Etat”) for a period of 4 months, and Google has already publicly stated that it will appeal the decision.