The Commission nationale de l’informatique et des libertés (CNIL), which is the administrative body in France whose job is to ensure data privacy law is applied to the collection, storage and use of personal data, on the 21st of January 2019 imposed a financial penalty of 50 Million Euro against Google LLC.[1] The penalty was executed in accordance with the GDPR and highlighted Google’s lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.[2]

The GDPR came into force on the 25th of May 2018, and soon after the CNIL received group complaints from two associations, None of Your Business and La Quadrature du Net. These complaints were filed on the 25th and the 28th of May 2018 respectively. The complaints were based upon the allegation that Google did not have a valid legal basis to process user data for ad personalisation in compliance with GDPR requirements.

Upon receiving these complaints, the CNIL first had to decide whether it could operate as the Lead Supervisory Authority[3] (LSA) in examining the particular case. This was due to cross-border processing of personal data which was being carried out by Google. The CNIL therefore employed the “one-stop-shop mechanism” which is established by the GDPR. It is through this principle that the CNIL needed to provide clarity as to whether it could investigate and possibly enforce a penalty upon Google. This principle was implemented in order to avoid entities from corresponding with several authorities within different states, and vice-versa for entities to not have to deal with a barrage of information from separate authorities within different Member States relating to one complaint/incident where cross-border processing is involved.

The principle applies only in cases of cross-border data processing activities. Cross-border processing is defined by Article 4 of the GDPR as being; a) processing of personal data which takes place in the context of the activities of establishments in more than one Member State of a controller or processor in the Union where the controller or processor is established in more than one Member State; or b) processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the Union but which substantially affects or is likely to substantially affect data subjects in more than one Member State.

The CNIL, decided it was in fact the authority having primary responsibility for dealing with the processes subject to the complaints filed, after having determined the location of the main establishment of Google. This was a complex issue as Google’s European headquarters are situated in Ireland, but discussions held between the CNIL and the Data Protection Commission in Ireland led to the consideration that Google did not have a main establishment within any of the EU Member States. This position was enhanced by the fact that when proceedings were initiated by the CNIL, Google’s Irish entity did not have any decision-making power on the processing or operations and the services being provided by Google LLC.

The CNIL, upon deciding that it was competent to deal with the complaints which had been lodged, began carrying out online inspections in September of 2018. These were done through thorough examinations of Android operating systems and their linking up and creation of Google accounts. Through these inspections the CNIL decided that there had been the following violations;

  1. A violation of the obligations of transparency and information.

The CNIL stated that information provided by Google to users was not easily accessible. It reiterated that essential information required by the user was excessively disseminated across several documents, meaning that users had to access different terms and conditions, policies, and links, along with several clicks of buttons and hyperlinks, in order to access the information. Thus, information on data processing purposes, data storage periods, or the categories of personal data being utilised for the personalization for ads, could only be accessed through several clicks by the user and from different source locations. Another issue mentioned by the CNIL was that users could not be expected to fully understand the extent of the processing operations carried out by Google because of the manner in which information was spread out.

  1. A violation of the obligation to have a legal basis for ads personalization processing.

This violation dealt specifically with the consent obtained by Google for processing information relating to ad personalization. The CNIL stated that the consent was not validly obtained by Google for two main reasons. The first involved the fact that users were not sufficiently informed when giving their consent about who was processing their information, which for certain operations was involving several services, applications and websites. The CNIL reiterated that here again, the issue was the dilution of information within several documents, resulting in users being unaware of what it is exactly they are consenting to.

The second point in relation to consent, was that it was not being obtained in a specific or unambiguous manner. The CNIL stated that the fact that the user was asked to agree to Google’s Terms of Service and to the processing of my information as described above and further explained in the Privacy Policy, could not be considered as being specific and distinct for each purpose as required by the GDPR. The inclusion by Google of a pre-ticked box relating to the display of ads personalization also went against the GDPR’s requirement of consent being unambiguous, requiring an action from the user in order to provide consent.

A penalty of 50 Million Euro was imposed upon Google, where the CNIL stated that this was done not only because of the violations mentioned above, but due to the fact that these were continuous breaches of the GDPR which were still occurring up until the date of the decision, and not a one-off incident. The main points which businesses should consider from this decision are that; consent must always be obtained in a way which is specific and unambiguous and requested in an unbundled format, therefore, customers must have the information presented to them in a clear and easily accessible manner; and that all information regarding any terms and conditions of use, or the manner in which information is going to be processed, must be easily accessible by customers or users at all times.