On 21 January 2019, the French data protection authority (“DPA”), Commission Nationale Informatique et Libertés (the “CNIL”) fined Google LLC €50 million for breaches of the General Data Protection Regulation (“GDPR”). Google was sanctioned for a lack of transparency, providing inadequate information, and lack of valid consent in connection with targeted advertising. It is the highest fine ever issued under the GDPR or by a European DPA and serves as a stark reminder of the importance of GDPR compliance.
Case Background. In May 2018, two activist privacy organisations, None of Your Business and La Quadrature du Net, complained to the CNIL about Google’s targeted advertising practices. The complaints alleged that Google improperly forced users of its Android phones to agree to its privacy policy and terms and conditions of use. Further, the complaints alleged that Google lacked a valid legal basis for processing customers’ personal data for the purposes of behaviour analysis and targeted advertising.
CNIL’s Jurisdiction. The GDPR establishes a “one-stop-shop” mechanism, whereby a company active in several EU Member States, such as Google, could be regulated by the data protection authority of the Member State where its main establishment is located. Since Google’s European headquarters is in Ireland, one might have assumed that the Irish DPA would have taken the lead in this case. However, the CNIL concluded that Google LLC did not have a main establishment in the European Union because its Irish subsidiary, Google Ireland Limited, did not have any decision-making power over the data use at issue in this case. In making that conclusion, the CNIL also noted that Google Ireland Limited did not have a data protection officer and that the Android system at issue in the case was developed by Google LLC, not Google Ireland Limited. This conclusion allowed the CNIL to proceed with the case without deferring to the Irish DPA, which was consulted in the process. This is particularly important for multinational companies because it demonstrates the DPAs’ willingness to interpret the “main establishment” concept restrictively, leaving companies vulnerable to concurrent enforcement by several DPAs.
GDPR Breaches. On the basis of its investigation, the CNIL determined that Google committed two breaches:
- Violation of transparency and information obligations. The CNIL found that required information, such as the purposes of data processing, data retention periods, and types of data used for targeted advertising, was not easily accessible to users. Rather, that information was “excessively disseminated”, requiring too many clicks by the users to review in its entirety. The CNIL also found that some of the information was not clear and comprehensive.
- Lack of a legal basis for data processing for the purposes of targeted advertising. Google claimed that it obtained users’ consent to process their data for targeted advertising. The CNIL held, however, that this consent was not valid because users were not sufficiently informed about what they were consenting to and because the consent was neither specific nor unambiguous.
The ruling underscores the importance for companies to get their privacy policies right: all required information should be easily accessible and presented in a way that gives the users an overall understanding of how their data will be used.
Record-Setting Penalty. This is the first CNIL-imposed financial penalty under the GDPR, and the message is clear—GDPR compliance is not to be taken lightly, no matter where your business is established. The egregious and continuing nature of Google’s conduct as seen through the eyes of the CNIL, the scale of the data processing at issue, and the fact that Google’s economic model is partly based on targeted advertising were key factors in setting the fine. Google has confirmed that it will challenge the CNIL’s decision before the Council of State, France’s highest administrative court.
Businesses operating or targeting individuals in France and the EU more generally, must ensure that their houses are in order and be prepared to adjust their policies and procedures to ensure ongoing and full GDPR compliance. None of Your Business and La Quadrature du Net have already filed similar complaints with the CNIL against Apple, Facebook, Amazon, and LinkedIn. More large GDPR fines may be coming soon.