On June 19, 2020, France’s Highest Administrative Court (Conseil d’état) upheld the decision of the French Data Protection Authority (CNIL) to impose a $57M Euro fine on Google, under the General Data Protection Regulation (GDPR) for its alleged failure to provide proper notice and obtain valid consent to process Android end user information for advertising personalization purposes. While this case highlights the importance of proper notice and valid consent, it also makes a strong statement about organizations who attempt to “forum shop” by designating the Supervisory Authorities viewed as more “lenient” when it comes to GDPR enforcement as their lead authority.
Google challenged the CNIL’s jurisdiction by claiming that their Irish affiliate, Google Ireland Limited, was their place of central administration in the EU and their main establishment for the purposes of GDPR’s one-stop-shop mechanism. The Conseil d’état disagreed, finding that Google had not established that their Irish affiliate exercised direction or control over the other European affiliates, and that the processing in question around advertising personalization was solely determined and controlled by Google, as opposed to Google Ireland. The Conseil d’état’s investigation showed that some of these powers appeared to have been shifted to Google Ireland after the CNIL’s initial decision in an attempt to strengthen their argument that the Irish Supervisory Authority should be the lead authority here.
With respect to the transparency and notice issue, the Conseil d’état upheld the CNIL’s finding that the information provided to Android users when creating a Google account was not always clear and easily accessible. Specifically, they held that critical information on Google’s processing activities around advertising were spread across several pages and that end users were sometimes required to take up to six actions to obtain the required information. The CNIL also found that the consent Google relied on for digital ad personalization was invalid, as it relied on a pre-ticked box. The Conseil d’état ruled that the $57M fine originally imposed by the CNIL was appropriate given the “gravity of the breaches committed, their continuous nature and their duration, the ceilings provided by GDPR as well as the financial situation of Google.” This fine is now the largest to be finalized under the GDPR.
This case demonstrates that multi-national organizations dealing with the personal data of European citizens cannot arbitrarily decide to fall under one specific Supervisory Authority and must be thoughtful about and document this analysis to demonstrate that any designated lead Supervisory Authority is truly the competent authority for the organization. This case also sets a significant precedent that will likely be relied on in many future EU cases, as it defines what constitutes valid consent. Organizations engaging in processing activities, especially digital advertising where consent generally must be relied upon as the legal basis for processing, should review their notice and consent mechanisms.