Complaints Brought by Data Subject Interest Groups
The CNIL initiated its investigations following two complaints it received against Google in June 2018. The complaints were lodged by French interest groups, None of Your Business and La Quadrature du Net (a group mandated by 10,000 data subjects to file a complaint). These groups claimed Google did not have a valid legal basis to process the personal data of its users for the purposes of its user behavioural analysis and targeted advertising activities ("ad personalisation activities").
Consistency Mechanism Did Not Apply
Given Google's activities throughout the Member States of the European Union ("EU"), the CNIL had to firstly asses if it was the competent Data Protection Authority ("DPA") to investigate the complaints. The CNIL liaised with other DPAs to determine if the General Data Protection Regulation's ("GDPR") consistency mechanism (a form of what is known informally as the "one-stop-shop") was triggered. With the assistance of other EU DPAs, in particular, Ireland's Data Protection Commission, the CNIL assessed that the consistency mechanism was not triggered in this particular case on the basis that Google does not have a main establishment in the EU for the purposes of its ad personalisation activities.
Breaches of the GDPR
To investigate the complaints, the CNIL initiated a series of online inspections on Google's platform. The CNIL determined that Google had breached two fundamental aspects of the GDPR:
1. Insufficient notice: Breach of transparency and information obligations
The CNIL found that:
- Google did not make the relevant data protection notice easily accessible to users, which breached Article 12 of the GDPR. The CNIL held (amongst other things) that the notice was "not always clear and comprehensive" and only "accessible after several steps" were taken by users; and
- Google breached Article 13 of the GDPR as its notice did not comply with the GDPR's requirement to provide specific, mandatory information to data subjects (e.g. the purposes of processing, retention periods, etc.). The CNIL held that "users are not able to fully understand the extent of the processing operations carried out by Google" as the information provided was "too generic and vague". It also found Google's processing activities to be "particularly massive and intrusive" due to the multiple purposes for which Google processed personal data. Google offered 20 different services and collected large amounts of personal data.
2. Invalid user consent: Breach of legal basis obligation
Consent under the GDPR is "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her". The CNIL found that Google's reliance on the legal basis of user consent to process personal data for the purposes of its ad personalisation activities was invalid under Articles 4 and 6 of the GDPR for two reasons:
- Pre-ticked boxes were being used by Google for these processing activities. This meant that consent did not meet the "unambiguous" threshold of consent under the GDPR or serve as an "indication of the data subject's wishes…by a clear affirmative action" from Google's users. The CNIL further held that the consent information Google provided was "diluted in several documents" to the extent that users could not fully understand the processing activities to which they were consenting. As such, the consent obtained by Google did not meet the GDPR's sufficiently "informed" threshold; and
As a result of the CNIL's investigative findings, Google received a fine of €50m for breaching these key provisions of the GDPR. As such, 21 January 2019 marks the CNIL's first imposition of a fine under the new GDPR regime. According to the CNIL, the fine reflects the seriousness of Google's failings to comply with the GDPR.
This case demonstrates the magnitude of the GDPR's regime in practice and the impact that any breach of the GDPR can have on a business. It also highlights the critical focus that EU DPAs have on the GDPR's transparency requirements which seek to protect individuals from unlawful processing of their personal data. All businesses should ensure that their data protection notices are appropriately brought to the attention of data subjects and that such notices are accurate, up-to-date and fully meet the requirements of the GDPR.