France’s data protection regulator, the CNIL, issued a €50 million fine against Google for failing to comply with its GDPR obligations. This is the biggest GDPR fine yet to be issued by a European regulator.The CNIL justified the fine on the basis that Google had failed to provide enough information to users about its data consent policies and didn’t give users enough control over how their personal data was being used.
On the 25th and 28th of May 2018, the National Commission for Informatics and Liberties (the CNIL – the French data protection authority) received two collective complaints filed by the association “None Of Your Business” (Hereafter-“NOYB”, Association created by Max Schrems, the famous activist who won several lawsuits against Facebook resulting in the invalidation of the Privacy Shield) as well as the association “La Quadrature du Net” (Hereafter-“LQDN”- A French association for the defense of freedom of individuals on the internet).
In its complaint, the association NOYB states and LQDN accuse Google for not having a valid legal basis to process the personal data of the users of its services in the context of the creation of a Google account on an Android device, particularly with regards to ads personalization purposes on YouTube and Google Maps.
Discussions about the jurisdiction of the CNIL in the context of the “one-stop shop mechanism”
As Google LLC is a company with several establishments in different European countries as well as outside of the EU, the CNIL first consulted its European counterparts in order to see if Google had a main establishment in the EU to see which national authority should be designated as lead authority.
In this case, the discussions with the other data protection authorities, in particular with the Irish DPA, concluded that in this case Google LLC did not have a main establishment in the European Union as the Irish establishment did not have a decision-making power for the processing operations at stake.
As the so called “one-stop-shop mechanism” was not applicable in this instance, there was no need to appoint a lead authority for a cross-border investigation and the CNIL was free to start its own investigations in order to verify the compliance of Google with the GDPR as well as the applicable provisions of the French Data Protection Act when creating an account using Android.
The findings of the CNIL
The restricted Committee of the CNIL decided that Google LLC was in breach of its obligations of transparency, information and consent as the essential information related to its processing of personal data was disseminated across many documents and that users had to click on many different links and buttons to access these documents.
Moreover the restricted Committee of the CNIL observed that important information provided by Google LLC about processing, data retention and legal grounds for processing was often unclear , incomprehensible or too generic.
Finally, the restricted Committee also observed that the processing operations carried out by Google LLC in the context of the opening of an account on an Android device where particularly massive and intrusive because of the number of services offered as well as the quantity and the sensitivity of the personal data processed.
The sanctions applied by the CNIL to Google LLC.
The CNIL restricted committee publicly imposed a financial penalty of 50 Million euro against Google LLC and justified this unprecedented financial sanction based on the following grounds :
- the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent;
- its ongoing nature (not a punctual breach);
- the predominant position of Google on the market;
- the fact that the economic model of Google LLC is based (partly) on ads personalization.