Jan 242019

French CNIL Fines Google €50m for Violation of GDPR’s Transparency and Consent Requirements

Lauren Cuyvers, Geraldine Scali and Wim Nauwelaerts
, , , ,

On January 21, 2019, the French Supervisory Authority (the “Commission Nationale de l’Informatique et des Libertés” or “CNIL”) issued Google’s U.S. headquarters (“Google”) with a fine of €50m for failure to comply with the EU General Data Protection Regulation’s (“GDPR”) fundamental principles of transparency and legitimacy. The CNIL found that the general structure of Google’s privacy policy and terms & conditions was too complex for the average user and that Google, by using pre-ticked boxes as a consent mechanism, failed to establish a legal basis for data processing to deliver targeted advertising. This is the first regulatory fine the CNIL issued on the basis of the GDPR’s penalty authorities, and it marks a strong enforcement signal to organizations subject to the CNIL’s jurisdiction moving forward.

The administrative proceedings against Google were initiated through a collective claim filed with the CNIL on May 25 and 28, 2018 by two privacy rights organizations, NOYB (“None Of Your Business”, founded by Max Schrems) and LQDN (“La Quadrature du Net”).  The CNIL noted that LQDN in particular was mandated by more than 10,000 individuals to bring a complaint on their behalf.  The NOYB and LQDN complaints urged the CNIL to investigate Google’s data processing activities related to Android users who create a Google account (a prerequisite to use Google apps and services). The CNIL investigated the complaints and decided to commence administrative proceedings.  The €50m fine comes only approximately 8 months after the claims were filed.

Google submitted an extensive procedural defense disputing the CNIL’s competence to take action. Google argued that the data processing underlying the CNIL’s decision, which covers a large number of Android users across Europe, contains a cross-border element and as such triggers the GDPR’s cooperation and “one-stop-shop” procedure. The one-stop-shop principle is a preferential regime under the GDPR and submits organizations that are able to demonstrate centralized decision-making power to the enforcement powers of only one Supervisory Authority (the “lead Supervisory Authority”). According to Google, only the Irish Data Protection Commission, which is the authority overseeing Google’s European headquarters in Ireland, could claim competence as lead Supervisory Authority as Google Ireland Limited is the main entity from a financial and commercial perspective (acting as counterparty in most commercial contracts with European clients) as well as the central Google entity in terms of resources and man-power (with over 3,600 employees).  The CNIL, however, considered that these elements were insufficient to establish that Google Ireland Limited, at the time of the initiation of the investigation, had decision-making power with respect to the processing activities related to Android users.  In particular, the CNIL pointed to the fact that Google Ireland Limited was not mentioned in the privacy notice as the decision-making entity for processing activities related to Android users, and that it did not develop the Android operating system (Google LLC did). Lastly, the CNIL noted that Google itself confirmed that it was in the process of “transferring responsibility” from Google LLC to Google Ireland Limited for the processing operations covered, and that this process would only be finalized by January 31, 2019. As such, the CNIL considered there to be no main establishment for purposes of the “one-stop-shop” regime, and asserted competence over the matter on the basis of sufficient territorial ties with France.

From a substantive perspective, the CNIL found that the information Google provides to its users on its data processing activities is not easily accessible, sufficiently clear and intelligible. In practice, Google’s data processing activities are explained in different sets of documents (its privacy policy and general terms and conditions), and certain additional information is only available after having created a Google account or after the user has clicked on specific links in the documents (e.g., “to find out more, click here”). The CNIL assessed that, in the case of targeted ad processing, five different user actions were required in order to access the full set of information that applies to the processing of the user’s data. This approach was considered to lead to a fragmentation of valuable and extensive sets of information which were, according to the CNIL, already difficult for an average user to process.

Secondly, the CNIL found that Google’s information notices were too generic, and in particular too generic in light of what they deemed to be the “intrusiveness” of the data processing activity at hand (profiling to deliver targeted advertising). Google’s use of generic language was considered insufficient to fulfil the GDPR transparency requirement, which in essence should allow the user to clearly establish the scope of processing activities that involve his personal data.

The CNIL also used their finding that there was a lack of transparency to consider Google’s legal basis for processing, user consent, to be illegitimate. The CNIL found that without sufficient information, the user is not able to take an informed decision as to whether or not to consent, rendering any given consent void. Moreover, the CNIL highlighted that Google’s use of pre-ticked boxes as a consent mechanism could lead a user to consent to Google’s targeted ad processing by default, which is in contradiction to the GDPR requirement that consent be “unambiguous” and expressed “by means of a clear affirmative action.”

Given the particular nature of the processing involved and the specific position of the Android operating system on the French market (impacting millions of users), the CNIL’s large penalty may not come as a significant surprise to many watching the evolution of data protection enforcement in the EU.  However, the CNIL’s critical findings with regard to information notices and consent mechanisms—emphasizing a need for notice and consents that are user-friendly, comprehensive and exhaustive at the same time—highlights a cumbersome, if not herculean, design challenge. This is especially true for organizations like Google which offer a wide set of applications and services driven by different processing operations and purposes and a variety of users. The CNIL’s decision is now open for appeal before the French Council of State (“Conseil d’Etat”) for a period of 4 months, and Google has already publicly stated that it will appeal the decision.

Lauren Cuyvers

Brussels

lcuyvers@sidley.com

Geraldine Scali

gscali@sidley.com

Wim Nauwelaerts

wnauwelaerts@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.