The decision was made on the basis of complaints referred to the CNIL by two non-governmental organisations, None of Your Business (NOYB) and La Quadrature du Net (LQDN); both organisations alleging in May 2018 that Google LLC did not have valid legal grounds for processing personal data, especially in terms of ads personalisation purposes. Hence, the CNIL initiated an investigation already in June on whether to apply the one-stop-shop mechanism in order to clarify if the CNIL was competent to deal with the complaints.
The one-stop-shop mechanism implies that complaints against organisations operating in several EU countries will primarily be dealt with by the Data Protection Authority (DPA) of the member state in which the main establishment of the organisation is situated. The question was then whether Google’s headquarters situated in Ireland were to be regarded as the main establishment in the sense of the GDPR, upon which the CNIL was to cooperate with the Irish DPA in respect of dealing with the complaints.
The CNIL and the other authorities decided that American Google LLC did not have a main establishment in the EU, as non of their companies in the EU held decision-making powers regarding the processing of personal data carried out in the context of the operating system Android and the services provided by Google LLC, in relation to the creation of an account during the configuration of a mobile equipment using Android.
Subsequently, the CNIL could begin dealing with the complaints, and in September they initiated an investigation in order to verify if the complaints were justified by analysing the browsing pattern of users and the documents they could access, when creating a Google account during the configuration of a mobile equipment using Android. On the basis of these investigations, the CNIL established three breaches.
The principle of information requires that companies provide the data subject with information about the processing of their personal data.
The purpose of processing and categories of personal data were described in a generic and vague manner, the legal basis of processing operations in respect to ads personalisation purposes was not explicit, and finally the data storage periods were not provided for some personal data.
Google's information was therefore considered inadequate, thereby constituting a breach of the information obligation.
The principle of transparency i.a. requires that information is concise, easily accessible and easy to understand.
Essential information, such as the data processing purposes, the data storage periods and the categories of personal data were spread across several documents, with buttons and links on which it was required to click to access complementary information, sometimes implying up to 5 or 6 actions in order to access the relevant information - which was not even always apparent.
The inaccessible and incomprehensible way, in which the information was presented thereby constituted a breach of the requirement for transparency.
A consent must be given freely, specifically, informed and unambiguously in order to be considered valid.
The information on consent regarding the processing operations for the ads personalisation was - as mentioned above - spread out across several documents, and did not enable users to understand the extent of the processing, including e.g. the plurality of services, websites and applications involved in these processing operations (Google search, You tube, Google home, Google maps, Google pictures…).
Hence, the consent was not adequately informed.
Finally, consent to ads personalisation was pre-ticked and could only be changed after creating the account, and then clicking the “More options” button. Thus, the consent was not considered to be unambiguous.
The CNIL then decided that in accordance with the complaints filed by the two aforementioned non-governmental organisations, Google did not have legal grounds for processing personal data in connection with ads personalisation.
On the basis of the above breaches, the CNIL imposed a financial penalty of EUR 50 million and released the decision to the public. Google, however, has already announced that they intend to appeal the decision.
The amount of the penalty is above all justified by the severity of the infringements as they all constitute a breach of the essential principles of the GDPR: transparency, information and consent. Users are deprived the essential guarantees, which are there for protecting their private lives.
The CNIL furthermore emphasises that the violations are considered continuous breaches, and that they were still observed on date for making the decision. In addition hereto, they note Android’s strong position in the French market, where thousands of Frenchmen are expected to create an account in future.
Finally, the CNIL points out that Google’s economic model is partly based on the ads personalisation, and therefore, it should be of Google’s utmost responsibility to comply with the obligations on the matter.
Although the fine is almost 100 times greater than the greatest penalties issued so far for a personal data breach in Europe (GBP 500,000 in England (~ EUR 573,000) and EUR 250,000 in France), the fine is far from the maximum penalty of 4% of the company's annual turnover. In 2017, Google LLC generated a turnover of about EUR 96 billion, according to which the maximum penalty could have been EUR 3.84 billion.
Nevertheless, the decision is important as it illustrates that the French Data Protection Commission (the CNIL) is prepared to apply the increased sanctions following from the GDPR. Google’s practise using very broad and generic wordings is quite common on the internet for both search engines and other sites; consequently, many companies will have to rewrite their privacy policies and declarations of consent if they want to prevent becoming the next ones being imposed with a fine and coming into the media spotlight.
In addition, it is quite interesting that one of the grounds for the penalty and publication of the decision was that Google’s economic model is partly based on the ads personalisation. This implies that the more important the processing of personal data is in relation to the economic model of the company, the higher responsibility for complying with the rules will apply to the company.
Finally, companies must be aware that if the decision to process personal data is made outside the EU, the one-stop-shop mechanism will not apply. Any breaches pertaining to personal data will then as a general rule be dealt with by any Data Protection Authority in the EU.
When NOYB back in the month of May 2018 filed their complaint against Google, they simultaneously filed complaints against Facebook, Instagram and WhatsApp; hence, we may expect that decisions will shortly be made in respect to these complaints too. Naturally, Holst, is following the progress.
Read the decision here (in French): https://www.cnil.fr/sites/default/files/atoms/files/san-2019-001_21-01-2019.pdf
Read the news from the French CNIL about the decision here (in English): https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc