CNIL v. Google (January 2019)
In January 2019, the French National Data Protection Commission (CNIL) CNIL published a “deliberation” concerning alleged violations of the GDPR by Google LLC., assessing a 50 million Euro fine to Google. The investigation into Google’s practices was initiated after the receipt of received complaints by two non-profit organizations regarding certain practices of Google on May 25 and May 28, 2018, shortly after the GDPR entered into force. These associations included None of Your Business (“NOYB”) which is operated by Max Schrems, and La Quadrature du Net (“LQDN”) a non-profit organization headquartered in France. Both complaints claimed that Google did not have a valid legal basis to process the personal data of users of its services, in particular when collecting and processing personal data to serve interest based advertising.
Competence to Examine the Complaints
The GDPR establishes a “one-stop-shop mechanism,” which provides that an entity established in the European Union will have as its sole interlocutor or “lead authority” the Data Protection Authority (“DPA”) of the country of its main establishment.
According its published decision, CNIL communicated the complaints to its European counterparts, in order to determine whether it was competent to pursue the matter in accordance with the GDPR provisions on cooperation amongst EU supervisory authorities.
In this case, after discussions with the other relevant supervisory authorities, including that of Ireland where Google’s European headquarters are located, it was determined that Google did not have a main establishment in the European Union and that Google’s Irish subsidiary did not have a decision-making power on the processing operations carried out in the context of the operating system Android which was the subject of the complaints. It was determined that the services were provided by Google LLC, in relation to the creation of an account during the configuration of a mobile phone, and thus, the “one-stop-shop mechanism” was not applicable. CNIL determined that it was competent to make decisions regarding processing operations carried out by Google LLC, as were the other DPA, by referring to the European Data Protection Board’s (EDPB) guidelines.
Technical Evaluation
CNIL carried out online inspections to evaluate the processing operations identified in the Complaints. On the basis of the inspections carried out, CNIL’s committee responsible for examining breaches of the Data Protection Act observed two types of breaches of the GDPR.
Violation of the obligations of transparency and information:
CNIL determined that the information provided to Google users is not easily accessible. For example, essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are disseminated across several documents, with buttons and links on which it is required to click to access complementary information. CNIL found that overall the relevant information is accessible after several steps only, for example if a user wants to have a complete information on the data collected for personalization purposes or for geo-tracking.
CNIL also found that some information is not clear or comprehensive. For example, the categories of data processed, and the purposes of processing are described in a too generic and vague manner; the information is not sufficiently clear to allow the user to understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company. Finally, information about the retention period is not provided for some data.
Violation of the obligation to have a legal basis for ads personalization processing
CNIL determined that the users are not sufficiently informed because the information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent. For example, in the section “Ads Personalization”, it is not possible to understand the plurality of services, websites and applications involved in these processing operations (Google search, You tube, Google home, Google maps, Playstore, Google pictures…) and therefore of the amount of data processed and combined.
In addition, CNIL observed that the collected consent was neither “specific” nor “unambiguous”. When an account is created, while the user can modify some options. However, the choice regarding the display of ads personalization is pre-ticked.
Finally, before creating an account, the user is asked to tick the boxes « I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy» in order to create the account. Therefore, the user gives his or her consent in full, for all the processing operations purposes carried out by Google based on this consent (ads personalization, speech recognition, etc.). However, the GDPR provides that the consent is “specific” only if it is given distinctly for each purpose.
The fine
CNIL imposed a financial penalty of 50 Million euros against Google indicating that the amount is justified by the severity of the infringements of the essential principles of the GDPR: transparency, information and consent, noting that the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations. The Deliberation also observed that the violations constituted continuous breaches of the GDPR.
Appeal by Google
Google has appealed the decision, arguing among other things that CNIL was not competent to evaluate the complaints.