Jun 252020

French Council of State Upholds €50m CNIL Fine against Google

William RM Long, Lauren Cuyvers and Geraldine Scali
, , , , , ,

On June 19, 2020, the French Conseil d’État (“Council of State”) issued a decision upholding the €50 Million fine imposed against Google LLC by the French Supervisory Authority (the “CNIL”). On January 21, 2019, the French CNIL had issued a fine against Google’s U.S. headquarters for failure to comply with the EU General Data Protection Regulation’s (“GDPR”) fundamental principles of transparency and legitimacy. Please refer to the relevant Sidley Data Matters’ blog post on the CNIL decision here. The CNIL found that Google had insufficiently informed Android users about their data processing activities, given the complexity of Google’s privacy policy and terms & conditions, and that the consent obtained from them through the use of pre-ticked boxes was insufficient to serve as a legal basis for processing used for targeted advertising. This was the first and highest regulatory fine the CNIL had issued on the basis of the GDPR.

As expected, Google LLC appealed the CNIL’s decision. Google requested the Council of State to annul the decision and, in subsidiary order, initiate the preliminary reference procedure with the European Court of Justice (“ECJ”) to clarify the CNIL’s jurisdiction in this matter, among other things. As discussed in our previous blog post, the CNIL’s jurisdiction in this matter was a heavily debated and contested point by Google, both in the procedure before the CNIL and the Council of State. Google argued that only the Irish Data Protection Commissioner could claim jurisdiction. It claimed the data processing underlying the decision had a cross-border element, as such triggering the GDPR’s ‘one-stop-shop’ mechanism on the basis of which only the ‘lead Supervisory Authority’ can initiate and lead regulatory action. The ‘lead Supervisory Authority’ is the authority of the country where the company’s ‘main establishment’ is located. Because Google’s EU headquarters are in Ireland, Google concluded that the Irish DPC was best placed to take action.

The Council of State ruled that it was unclear whether Google’s Irish establishment, Google Ireland Ltd., had any control or decision-making powers to warrant its qualification as ‘main establishment’ for purposes of the one-stop-shop mechanism under the GDPR. It considered that the Android system at the time was exclusively developed and operated by Google LLC in the U.S. According to the Council of State, this led the main establishment to be outside the EU and the ‘one-stop-shop’ (and cooperation mechanism) not to be triggered. Ultimately it confirmed the CNIL’s jurisdiction in this matter and decided that these points did not require further clarification from the ECJ.

The Council of State also upheld the amount of the fine against Google (€50 Million) referring to the particular gravity of the infringement (involving core principles of the GDPR such as transparency and consent) and the effect thereof on individuals, and the continuous nature and duration of the infringement to support its decision. This fine is so far the highest fine issued under the GDPR’s regulatory framework to date. The only regulatory action to date that could potentially lead to a fine exceeding the CNIL’s is the UK Information Commissioner’s (“ICO”) action against British Airways following a cyber-incident (potentially amounting to €200 Million) and its action against Marriott (up to €100 Million). However, the ICO has so far only issued ‘intentions to fine’, so it remains to be seen how this will evolve and what fines, if any, will be ultimately imposed against both entities. This decision, and the intentions to fine British Airways and Marriott again demonstrates the great disparity and fragmentation in terms of fining practices across the EU, which makes it all the more relevant for organizations to clearly establish and document which authority may act as their lead Supervisory Authority, if they have not done so already.

William RM Long

London

wlong@sidley.com

Lauren Cuyvers

Brussels

lcuyvers@sidley.com

Geraldine Scali

gscali@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.