In an interview dated February 2018, Isabelle Falque-Pierrotin, at the Head of the French data protection authority (CNIL), stated that the CNIL would adopt a flexible and pragmatic approach from May 2018 onwards when controlling compliance with data protection requirements. The first decision of sanction rendered by the CNIL on Monday January 21, 2019, which is to date the most severe sanction ever imposed to a web giant (‘GAFA’) under the GDPR, gives a sense of what that flexible approach might be in the eyes of the French regulator.
Background: a wave of awareness among users at the EU level shows a new face of data protection
In a notice dated November 2018, the CNIL reported that the number of claims related to privacy issues had significantly increased (by 34 percent) since the adoption of GDPR in May 2018. The protection of personal data seems therefore to be becoming an ever more important issue, especially since nonprofit associations are able to collectively report breaches and issue claims on behalf of users to EU data protection authorities, pursuant to Article 80 of the GDPR.
The January 21, 2019 decision of the CNIL against Google recalls the admissibility of complaints filed by nonprofit associations, which have a mandate to represent users. The decision thus follows the collective complaints filed a few days after the entry into force of the GDPR, on May 25 and 28, 2018, by the organization None of your business and the French organization La Quadrature du Net.
As reflected by the length and documented character of the decision (31 pages), delivered in an extremely short time frame after an expeditive procedure (barely 10 weeks), the CNIL shows a clear willingness to implement a far-reaching control over GAFAs regarding the information given to users and consent management, highlighting that the GDPR is aimed at fighting any form of “forum shopping.”
A strict interpretation of the concept of Lead Authority: a widespread control of GDPR requirements at a EU level
Under Article 56 of the GDPR, “the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor (…)”.
The qualification of “main establishment” has become a strategic issue for international companies having establishments in the EU, as potential disputes related to data privacy will not necessarily be submitted to the data protection authority of the main establishment. The uncertainty of the Brexit process has also raised specific concerns in that respect.
Through this strict interpretation of the concept of “Lead Authority,” the CNIL shows it is committed to fight against any “forum shopping” phenomenon within the EU and that it will concretely control whether the entity designated by the company as the main establishment has the necessary characteristics, pursuant to criteria the GDPR has set. The CNIL also insisted on the importance of the principle of cooperation between data protection authorities, as the CNIL communicated the complaints to other data protection authorities after receiving them. In any event, international regulators will have to reconsider their approach as the identification of their Lead Authority in light of this decision. The number of procedural arguments withdrawn by the CNIL in the present case should be seen as an incentive to carefully weight this identification process.
A far-reaching control of the measures implemented to inform users and collect their consent
To the merits of the decision, the CNIL is showing willingness to implement a far-reaching control over Google’s services. It is striking to note that the control the CNIL has implemented over GDPR compliance is very broad and that it took place, not only on the Android operating system, but also on Google accounts, whereas these are separate services with different processing activities. Moreover, it has to be noted that Google had taken steps to inform each new user on the way its data will be used, as the decision outlines that measures had already been implemented by Google, particularly regarding documentation and configuration options. For instance, the possibility to change the privacy settings and different configuration tools were offered to users.
However, according to the CNIL, the information provided was not clear and intelligible whereas the processing operations were considered as significant and intrusive. The CNIL criticized that the relevant information would only be accessible after several steps, sometimes involving up to five or six positive actions by the user. It pointed to the marketing ads or geotracking in particular. The CNIL stated that the clear and comprehensible nature of the information provided has to be assessed, taking into account the nature of each processing operation and its effect on data subjects. For instance, this means providing the user with a first and direct overview of the different processings and of their purposes since the creation of the user’s account.
The CNIL also highlighted the use of pre-checked boxes, whereas it outlined that the GDPR was requiring a “positive” consent, which implies that the user themself ticks the boxes for each specific processing activity.
Were there early warning signs to that penalty?
With this decision, the CNIL is certainly shifting to a sanction approach. However, since May 2018, there were early warning signs in France, as a gradual rise of rigor could be observed in the CNIL decisions, which had been rendered according to French pre-GDPR data protection laws. For instance, on December 19, 2018, the CNIL sentenced Uber to a 400,000 euros fine following alleged security breaches on the Uber “GitHub” collaborative platform. According to the CNIL, Uber should have put in place stronger authentication measures to have access to “GitHub,” such as a secret password to be sent by text message in order to identify the user.
The severity of the sanction could be explained by the fact that, in 2014, Google has already been fined 150,000 euros for an alleged breach of the pre-GDPR French Data Protection Act n° 78-17, notably regarding the information given to the users on the conditions and purposes of processing of their personal data. This could also explain why the CNIL did not send a formal notice to Google – which is what the CNIL tended to do – to correct the breaches. Although the CNIL did not obviously impose a sanction up to 4 percent of the annual worldwide turnover of the company, ( this sanction remains the highest penalty ever imposed and may not be the last of that kind.
Google now has technically two months to decide if it wants to file an appeal before the French Highest Administrative Court, the Council of State (Conseil d’Etat), which will re-examine the alleged breaches. It already announced it would appeal. Meanwhile, in the EU, there is definitely more to come, following further complaints filed on January 18, 2019 with different data protection authorities. The ruling from the Court of Justice of the European Union on January 25, 2018 enabling an individual to bring an action against Facebook in Austria may pave the way for further complaints.
The decision against Google definitely shows that, more than ever, compliance with GDPR requirements is becoming an urgent concern for companies processing personal data in Europe, testing the levels of transparency, as well as the compatibility of existing business models with the GDPR.