The CNIL decision handed down on 21 January 2019, which cites violations of several GDPR obligations, provides important insights for groups wishing to benefit from the “one-stop-shop mechanism”.
Not more than a week after the General Data Protection Regulation 2016/679 (GDPR) came into force on 25 May 2018, the French data protection authority (CNIL) received separate complaints about Google LLC (Google) from two non-profit organisations — ‘La Quadrature du Net’ and ‘None Of Your Business’, the latter founded by activist lawyer Max Schrems. The complaints, made by the organisations on behalf of nearly 10,000 individuals, can be summarised as follows:
- La Quadrature du Net claimed that Google processed personal data for targeted advertising without a valid legal basis.
The Investigation and Google’s Response
The CNIL immediately launched an investigation into the complaints. By the end of October 2018, the CNIL had already completed an investigation and issued a statement of claim to Google, which set out the CNIL’s proposal to fine Google €50 million for alleged breaches of the GDPR.
Google argued that the CNIL should have immediately forwarded the complaints to the Irish Data Protection Commission (DPC), which should have investigated them in its capacity as lead authority, on the basis that Google’s headquarters are based in Ireland.
The CNIL’s Lack of “Main Establishment” Argument
While acknowledging the existence of significant financial and human resources within Google’s Irish establishment, the CNIL held that it could not be a “main establishment” in the EU within the meaning of Article 4 and Recital 36 of the GDPR. The CNIL’s argument included the following points:
- At the time of the complaints, the US entity was the only decision-making entity, because only that Google entity performed “the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing”.
- While the CNIL acknowledged that Google’s Irish establishment participated in the relevant processing activities, the CNIL concluded that it had no “decision-making power on the processing operations carried out in the context of the operating system Android and the services provided by Google LLC, in relation to the creation of an account during the configuration of a mobile phone”. Absent a main establishment in the EU, the CNIL concluded that it had jurisdiction over the processing controlled by Google.
- In further support of this conclusion, the CNIL referred to the fact that Google had recently written to the Irish DPC to inform it that the transfer of liability to the Irish establishment for certain processing relating to EU individuals would be complete by the end of January 2019 (i.e. after the complaints were made).
- In response to Google’s counter-argument that the CNIL should have referred the matter to the European Data Protection Board (EDPB) if there was any uncertainty on the lead authority, the CNIL argued that identifying a lead authority was unnecessary if there was no main establishment in the EU, since the one-stop-shop mechanism was simply not applicable. The CNIL added that it had immediately forwarded the complaints to all European data protection authorities (DPAs) and that none of these, nor the Chairman of the EDPB, deemed it necessary to refer the matter to the EDPB for the identification of a lead authority.
The CNIL Decision
The CNIL handed down its final decision regarding the complaints on 21 January 2019, finding that:
- With respect to Google’s processing of personal data for targeted advertising, Google was in breach of its obligation to have a legal basis as set forth in Article 6 of the GDPR for targeted advertising.
- Were difficult to find, because the information was scattered across several documents, thus fragmenting the information and requiring the user to make multiply clicks to access all of it
- Did not allow users to clearly understand the specific consequences of particularly “massive and intrusive” processing operations
- Did not allow users to understand the distinction that Google was drawing between the legal basis on which it was performing targeted advertising through the combination of multiple data (based on consent) and other forms of targeting using, for example the browsing activity (based on legitimate interest)
Regarding Google’s alleged breach of its obligation to have a legal basis for targeted advertising, the CNIL held that users’ consent for targeted advertising could not be valid because such consent was:
- Not sufficiently informed, because the information was fragmented across several documents
- Neither “specific” nor “unambiguous”, since users were required to provide their consent in full, for all the processing operations purposes carried out by Google based on this consent, including targeted advertising
Google argued that a €50 million fine was disproportionate and that it should have received a warning and the chance to rectify the alleged breaches before a fine was imposed. The CNIL disagreed, however, stating that it has discretionary powers to impose sanctions that it considers appropriate and that, in the present case, a €50 million fine was appropriate on the grounds that:
- The GDPR obligations in question went to fundamental and central provisions of the GDPR.
- The processing operations at stake concern a significant number of data subjects.
- The alleged infringements are not one-off or time-limited; they are continuous (and continuing) breaches of the GDPR.
- Compliance with data privacy obligations with respect to targeted advertising was particularly important in Google’s case given the significance of targeted advertising revenues to the company’s economic model.
Google has the right to lodge an appeal against this decision with the French State Council (Conseil d’Etat) within four months of the notification. Given the size of the fine, the publicity it is already receiving, and the impact of the decision on Google’s digital advertising operating models, an appeal seems highly probable.
While this decision will likely be tested on appeal, it provides several takeaways for businesses in the interim:
- Use of the one-stop-shop mechanism: Businesses that want to rely on the one-stop-shop mechanism by claiming to have a main establishment in the EU will need to provide evidence that the main establishment has “decision making powers” related to the processing in question. Organisations should review their policies and governance structures and ensure that the main establishment has documentation evidencing where the decision making power lies, in line with the accountability principle.
- Transparency: Whilst a layered approach, or other creative approaches to transparency via privacy centres have been encouraged by various DPA guidance, organisations must ensure that users are able to easily understand core processing activities —perhaps a difficult balance to strike.