Google hit with record €50 million GDPR fine

It was only a matter of time before we would see the European regulators flex their muscles under the GDPR to impose huge fines on businesses – and to a large degree, it is no surprise that a large tech company has been the first to face a fine of this scale.

On 21 January 2019, Google LLC was fined €50 million by the French data regulator CNIL, for a breach of the EU’s data protection rules, in particular for lack of transparency, inadequate information provided to data subjects/users and lack of valid consent regarding ad personalisation.

On the very day that the GDPR came into effect (25 May 2018) and on 28 May 2018, complaints were made by French interest groups, None of Your Business, which is spearheaded by the Austrian privacy activist Max Schrems (who lead complaints to eventually take down the EU-US Safe Harbour regime), and La Quadrature du Net who together claimed that Google failed to provide a valid legal basis to process user data for ad personalisation, as required by the GDPR.

VIOLATIONS

The GDPR requires that in order for data processing to be lawful, data subjects / service users must to be told in clear and simple terms what personal data of theirs is being processed, why, on what legal basis, who it will be shared with, how long it will be stored etc. These are known as transparency obligations and information notices and come within the requirements of Articles 12, 13 and 14 of the GDPR. We all experienced an overload of these in the run up to 25 May 2018.

In short, the violations in this case are about Google’s failure to comply with the transparency and information obligations – which in a nutshell means that users simply do not understand what is being done with their personal data. The CNIL was clearly of the view that given the complexity of information presented to users and the number of steps a user must go to when setting up a service or accepting terms of use and related documents, that he/she could not possibly provide valid consent within the meaning of consent under the GDPR.

The CNIL has said that users were insufficiently informed about how Google collected data relating to the personalisation of advertising, with the French regulator pointing to Google’s failure in relation to two key areas:

1. Inadequate transparency and information – in breach of Arts 12 and 13 – Google does not obtain valid consent to process data because “essential information” such as the data processing purposes, the data storage periods and the categories of personal data are “disseminated across several documents.” For example, it takes 5 or 6 clicks for users to find out how their data is being processed in order to personalise ads. Similarly, the information communicated to users is not sufficiently clear so that they can understand that consent is the legal basis of processing, and not the legitimate interest of the company (Art 6).

The CNIL stated that the processing operations are particularly massive and intrusive because of the number of services offered (about twenty – such as Google search, YouTube, Google home, Google maps, Playstore, Google photo, Google play, Google analytics, Google translation, and Play books), and given the amount and the nature of the data processed and combined.

The judgement criticises the vague and generic nature of the purpose of the processing presented to users which effectively prevents the user from clearly understanding what he/she is signing up to and in this case, what he/she is “voluntarily” agreeing to be subjected to by way of targeted advertisements where data is collected revealing very intimate details of a user’s lifestyle, preferences, contacts, opinions, travels etc.

2. Invalid user consent regarding ads personalisation – Under the GDPR consent must be “freely given, specific, informed and unambiguous.” The CNIL found that Google is in breach of Arts 4 and 6 for two reasons:

When creating a Google account, users are required to tick a box that states: “I agree to the processing of my information as described above and further explained in the Privacy Policy.” The CNIL found that this blanket form of consent falls short of the ‘specific’ threshold of consent under the GDPR – the specific consent required by GDPR is only specific “if it is given distinctly for each purpose.” In practice this means that you cannot for example, list one hundred processes and have one tick box as the cure to consent for those activities.
The option to personalise ads is “pre-ticked” when creating an account which does not meet the ‘unambiguous’ threshold, nor does it serve as an “indication of the data subject’s wishes…by a clear affirmative action” as required by the GDPR.

Many smaller businesses will be well aware that pre-ticked boxes are prohibited and a user must undergo a positive action to validly consent. The CNIL was particularly exercised on this issue in the context of ad personalisation.

SIGNIFICANCE OF THE DECISION

The Fine

The fine marks the first major penalty made under the GDPR against a tech giant. It shows us that the regulators are prepared to apply the GDPR with force using the available fine structure. In this case, the fine category was up to 4% of turnover or €20m, whichever is higher. So while some will argue that the fine is a drop in the ocean for a company with sales of c. $110 billion in 2017, it does show us that the regulators are prepared to apply the upper end of the fine mechanism – enough to leave many businesses quaking in their boots at the thought of a complaint made against them.

Business Model

Leaving aside the fine, the decision also has the effect of challenging Google’s lucrative business model of processing personal data for micro-targeted advertising. The severity of the fine reflects the CNIL’s view on the severity of the infringements of the essential GDPR principles of transparency, information and consent, and the intrusive nature of the processes being applied across multiple services.

Consent

In order to legally process data, a data controller or processor must have a valid legal basis. Consent is one of the permitted legal grounds but not the only one. The threshold for what constitutes valid consent is extremely high and this case highlights the challenges facing businesses that rely on consent for complex processing activities.

One-stop shop

One of the key issues in the case centred on the so called “one stop shop” mechanism and what regulator should have jurisdiction over the case. Google argued that the Irish Data Protection Commissioner was the appropriate regulator as Google’s European headquarters are based in Dublin. In order to determine which regulator has jurisdiction, one needs to assess the main establishment under Article 4(16) of the GDPR – which states that it will be its place of central administration unless the decision making concerning the relevant processing takes place in another place in the EU. The decision notes that Google Ireland Limited lacked the requisite decision making power when it came to the processing outlined in the privacy policy presented to the user on creating his/her account for Android mobile configuration.

The Irish entity of Google was found only to control other activities such as accounting and tax matters, sale of advertising space, contracting etc., and furthermore that Google Ireland Limited was not mentioned in the privacy policy dated 25 May 2018 as the entity where the main processing decisions were made. It further noted that the Android operating system is developed solely by Google LLC. Reference was also made to statements by Google itself for its plans to migrate responsibility of Google LLC to Google Ireland on certain processing of personal data concerning European citizens.

Following discussion with other Data Protection Authorities, the CNIL appears to have formed the view that a main establishment in Europe was not established by Google LLC to allow the identification of the lead authority and so, in the absence of lead authority for Google LLC’s European data processing activities, the CNIL’s view was that it was competent to deal with the complaint. The CNIL refers in its decision to recital 36 of the GDPR which states that “the main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements”.

The main take-away on this issue is that companies cannot be complacent on who their lead supervisory authority is, particularly where an assumption is made on this on the basis of where they are headquartered. The CNIL expressly states that the main establishment does not automatically correspond to a data controller’s headquarters in Europe.

Google appeal

Google has stated that it intends to appeal the decision stating on 23 January 2019, “We’ve worked hard to create a GDPR consent process for personalized ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing. We’re also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond. For all these reasons, we’ve now decided to appeal”.

Register now for your free, tailored, daily legal newsfeed service.

Google hit with record €50 million GDPR fine

Filed under

Laws

Organisations

Popular articles from this firm

GDPR and International Data Transfers *

MiCA white papers - What obligations will crypto firms have under the new European legislation? *

“The heat is on” - District heating in Ireland *

Public procurement case law update - Simonsen & Weel A/S v Region Nordjylland og Region Syddanmark (C-23/20) *

The ‘Wild West’ of the metaverse *

Related practical resources PRO

Related research hubs