On January 21, 2019, the Commission nationale de l'informatique et des libertés ("CNIL"), France's data protection authority, imposed a fine of 50 Million euros against Google LLC for violations of the General Data Protection Regulation ("GDPR"). This is the largest fine that has been levied under the GDPR to date, and also marks the first instance in which the GDPR's tiered fine structure has been imposed against a US technology company.
Two privacy rights groups, None of Your Business and La Quadrature du Net, represented 9,974 individuals in filing two complaints against Google. The complaints alleged that Google did not have a valid legal basis for processing the personal data of its users, particularly for personalized advertisements, and that Google "forced" users of Android-powered mobile devices to consent to Google's entire Privacy Policy and Terms of Service before being able to use their mobile devices.
The CNIL ruled that the GDPR's "one-stop-shop" mechanism, which allows organizations established in the EU to be subject to the supervisory authority in the jurisdiction of its "main establishment," did not apply. Although Google's EU headquarters are in Ireland, after discussions with EU Data Protection Authorities ("DPA") that included the Irish DPA, the CNIL determined that because Google's Irish establishment did not "have...decision-making power on the processing operations" of its Android operating system and Google accounts, Google lacked a main establishment in the EU. Notably, the CNIL referenced the fact that because the "one-stop-shop" mechanism was inapplicable, "[it] was competent to take any decision regarding processing operations carried out by Google LLC, as were the other DPAs," thereby acknowledging the possibility that Google may be subject to enforcement by additional DPAs related to the data processing operations at issue.
The CNIL then determined that Google had committed 2 types of GDPR violations: 1) insufficient transparency and information; and 2) invalid consent. As to the first type of violation, the CNIL concluded that Google had not made essential information easily accessible. The essential information included: (i) data processing purposes; (ii) data retention periods; and (iii) the categories of personal data captured for the ads personalization. Instead, the CNIL pointed out that Google had "excessively disseminated this information across several documents" and required users to click several buttons and links to access the information.
The CNIL found that the information that Google provided was not always clear or comprehensive, and that "users [were] unable to fully understand the extent of the processing operations carried out by Google," even though the data processing operations were "particularly massive and intrusive because of the number of services offered (about twenty)." Taking the magnitude of Google's data processing operations into consideration, the CNIL also determined that the purposes of the data processing were described in too "generic and vague" of a manner, as were the categories of the categories of data processed for those purposes. Finally, the CNIL stated that Google did not clearly convey that the legal basis of processing operations for the ads personalization was consent rather than the legitimate interest of the company.
As to the issue of consent, the CNIL observed that although Google stated that it obtained the users' consent to process their data for ad personalization purposes, the consent was not validly obtained because it was: (i) not sufficiently informed; and (ii) not specific and unambiguous.
With regard to (i), the CNIL found that "the information on processing operations for the ads personalization [was] diluted in several documents and [did] not enable the user to be aware of [its] extent." In particular, the CNIL referenced the "Ads Personalization" section in which the user was not made aware of the plurality of services, websites, and applications (e.g., Google search, You Tube, Google home, Google maps, Playstore, and Google pictures...) involved in the data processing operations and, therefore, of the total amount of data processed and combined.
With regard to (ii), the CNIL stated that although users have the ability to configure their display of personalized ads by clicking the "More Options" button, users who did not click this button would not have the opportunity to consent. In addition, once the "More Options" button was clicked, the option to display personalized ads was pre-ticked. The CNIL explained that for consent to be unambiguous, the GDPR required a clear affirmative action from the user (by ticking a box that is not pre-ticked, for example).
The CNIL also noted that before creating an account, the user was required to agree to Google's Terms of Service, as well as the processing of his or her information as described and further explained in Google's Privacy Policy. The CNIL concluded that because the user was required to give his or her consent in full for all processing operations carried out by Google, the consent was invalid, as the GDPR deems consent to be "specific" only if it is given distinctly for each purpose.
Under the GDPR's tiered fine structure, the CNIL had the ability to issue a fine of up to 4% of Google's annual worldwide revenue from the previous financial year, but it did not do so. While it is unclear exactly how the CNIL arrived at the amount of €50 Million, the CNIL explained that the amount of the fine, as well as corresponding publicity, was justified by the severity of the infringements regarding the GDPR's essential principles of transparency, information, and consent. The CNIL also referenced the following factors in determining the amount of the fine:
- The potential for the particular data processing to reveal important parts of users' private lives since it was based on a huge amount of data, a wide variety of services, and almost unlimited possible combinations;
- The continuous nature of Google's violations, as they are still occurring today;
- The fact that thousands of French citizens create Google accounts every day due to Android's leading position in France's smartphone market; and
- The reliance of Google's economic model on the processing of personal data for ad personalization purposes, which, from the perspective of the CNIL, gives the company a particular responsibility to comply with the GDPR.
Google has stated that it intends to appeal the CNIL's ruling and has four months from its notification of the CNIL's decision to do so.
To access CNIL's press release, please click here.
---------------------------------------------------------------------------
If you are interested in receiving updates relevant to Life Sciences compliance, please contact us for four weeks of complimentary access to all Porzio Compliance Digest InfoCenters. Topics include US and International transparency, US Enforcement Action, Mid-level Regulations, and Distribution: Trade and Sample.