The Commission Nationale de l’Informatique et des Libertés’s (CNIL) restricted committee, with its decision issued on 21st January, has imposed an administrative sanction of 50 million euros on Google LLC for breaching the rules of transparency, legal basis and consent pursuant to Regulation EU 2016/679 (GDPR).
The decision stemmed from two complaints submitted on 25 and 28 May 2018 by two associations: None Of Your Business (NOYB) and La Quadrature du Net (LQDN), the latter mandated by about ten thousand data subjects (9974 to be precise), pursuant to article 80, paragraph 1, of the GDPR. Firstly, the complaints were aimed at challenging the “single” mandatory acceptance of the Terms and Conditions, without the users being able to use Google’s services and to express their consent in a clear and specific manner. Secondly, the complaints showed that Google did not establish an appropriate legal basis for the processing of users’ personal data, in the process of allowing them to create an account for using the various services offered on Android operated mobile devices.
The CNIL has self-claimed jurisdiction to carry out inspections of Google LLC’s activities, since the “one-stop shop” mechanism has not deemed to be applicable, as the Irish Supervisory Authority, where Google has its main European headquarters, could not have had competence in this regard at the time of the lodging of the complaints. Google Ireland Limited would not have had the power to make a decision on the means and purposes of the processing of personal data related to the services offered within the configuration of a mobile device with an Android operative system, and therefore not being considered as the main establishment, according to the definition set forth in Article 4(16) of the GDPR (in particular, Google LLC has not yet fully completed the “transfer” of responsibility for the processing of personal data of European citizens to Google Ireland Limited). Without the application of the one-stop shop mechanism, the CNIL was competent to decide upon the complaints made by the two associations against Google LLC.
The CNIL’s inspection activity, carried out from September 2018 onwards, has assessed and investigated Google’s breaches by thoroughly analysing the compliance of its collection of users’ personal data, when registering an account on mobile devices which use the Android operating system.
Although Google has claimed to be collecting de facto the users’ consent for the processing of their personal data for the purpose of personalizing advertising personal messages, the CNIL has argued that the data controller was not compliant with the requirements of transparency (Article 12 of GDPR), information to be provided (Article 13 of GDPR) and the establishment of an adequate legal basis (Article 6, paragraph 1, of GDPR) for the data collection.
The legal basis established by Google – the legitimate interest pursuant to Article 6, paragraph 1, letter f), of the GDPR – would not be a suitable basis – stated the CNIL – for the multiple processing activities performed by the data controller, since, on the other hand, according to the restricted committee, the proper basis would be consent under Article 6, paragraph 1, letter, a), of the GDPR.
Consequently, Google has been claimed not to be gathering a sufficiently informed, specific, and unambiguous consent, failing also to provide information to the user in a transparent and intelligible manner. In particular, although existing, the information to users on how to personalize ads is placed in more than one section of the personal webpage and does not allow to be fully aware of the choices that may be expressed. Moreover, the customisation methods refer to a plurality of services (such as, for example, the Google search engine, the Gmail e-mail service, YouTube, Google Home, Google Maps, Play Store, etc …) and their multiple combinations.
The consent also does not seem that unequivocal, since in the configuration of ad customization preferences the option appears to be already pre-ticked, such being neither specific nor distinct for each of the purposes (ad customization, voice recognition, etc. …) as it is collected through a single and general acceptance at the time of the registration of an account.
For all these reasons, the CNIL has imposed an administrative sanction of 50 million euros against Google LLC, by applying, for the first time, the provision set forth in Article 83(5) of the GDPR, which provides for penalties up to 4% of annual worldwide turnover, for breaches of obligations such as, for example, the lawfulness of processing, consent, and transparency of information provided by the data controller to users on the processing of their personal data. The amount of the sanction and the provision relating to the publication of the decision are considered justified by the CNIL due to the severity of the violations with reference to the essential principles and obligations of the GDPR, the persistence of such violations (in fact, the CNIL notes that the processing activities which are subject to sanction are still performed by Google LLC when offering its services) and the number of users involved.
Over the next few weeks, it will be interesting to see how other Supervisory Authorities have dealt – or are dealing – with similar cases, and, in particular, the methods for assessing: the amount of the administrative sanctions provided for by paragraphs 4 and 5 of Article 83 of the GDPR; the issues related to the application of the one-stop shop mechanism; and, the complaints pursuant to art. 80(1) of the Regulation.