January 30, 2019 - On January 21, 2019, the French Data Protection Authority ("CNIL") sanctioned Google LLC for violating the General Data Protection Regulation ("GDPR"). The CNIL fined Google €50 million and ordered its decision to be published on the CNIL's website and Légifrance (the official French website for legal information).
The CNIL found three GDPR violations:
Inadequate information - the CNIL found that this information was unclear and incomplete (GDPR Article13).
Lack of valid consent - the CNIL found that Google did not obtain user consent through a clear affirmative act (GDPR Article 6 and Recital 32).
The CNIL's Decision
The CNIL determined that it had jurisdiction to hear the complaints
The GDPR provides a "one stop shop" mechanism for companies operating in multiple EU countries. Under this mechanism, the data protection authority in the country where the company has its main EU establishment acts as the lead supervisory authority ("LSA") and assumes primary responsibility for GDPR enforcement.
Google argued that the CNIL did not have jurisdiction because Google Ireland Limited is Google's main establishment in the EU. Google pointed out that Google Ireland Limited has been the head office for Google's EU operations since 2003, is in charge of administrative and financial functions for the Europe region, and is the signatory on all contracts with advertising agencies located in the EU.
The CNIL held that Google violated (1) the GDPR principle of transparency and (2) the obligation to provide adequate information to users
The CNIL next turned to whether Google made adequate information accessible to EU data subjects. The CNIL noted that since a company's ergonomic choices determine the transparency of its information, the CNIL assesses a company's compliance based on the company's actual data processing and its concrete impact on data subjects.
Here, the CNIL criticized Google's processing for the following reasons:
The CNIL found that Google's user information was scattered across several documents and required activation of multiple buttons or links.
For example, in the case of ad personalization and geolocation processing, the CNIL found that users had to multiply actions and combine documentary information to find relevant information and identify the type of personal data collected by Google.
The CNIL also noted that at least four clicks were necessary to access information on data retention.
The CNIL determined that Google did not clearly indicate the legal basis for processing as Google stated that it relied on user consent but later stated that it relied on Google's legitimate interests.
The CNIL found that Google did not provide users with adequate information when they first created their Google account.
The CNIL found that Google failed to obtain valid user consent
The CNIL determined that Google did not obtain valid consent because it (1) failed to inform users that it was processing their data for advertisement purposes, (2) relied on pre-ticked boxes, and (3) obtained blanket consent for multiple types of processing.
The CNIL imposed a severe sanction
The €50 million sanction against Google is the highest fine that the CNIL has ever imposed, and the first fine that the CNIL has ever imposed that is in the millions. The previous high, imposed against Uber France SAS in December 2018, was €400,000.
On January 23, 2019, Google announced that it will appeal the CNIL's decision to the Conseil d' Etat (French Administrative Supreme Court) because of the decision's negative impact on publishers, original content creators, and tech companies.
Practical Considerations - Advice to Companies
Monitor the CNIL's Enforcement Priorities: Each year, the CNIL publishes its priority issues and investigation strategy. The 2019 priorities are expected to be released after the CNIL's incoming President, Marie-Laure Denis, takes office.
Beware of Class Actions: On November 18, 2018, the French Justice System Reform Act introduced a specific class action for violation of French data protection law. The conditions for bringing a class action are restrictive and the remedies are limited. However, once the CNIL receives a complaint, its investigation will not be limited to the violations alleged in the complaint.
Test User Patterns: One of the striking things about the CNIL's decision is the extent to which it conducted its own on-line investigation of Google's practices and their impact on users. Companies should regularly test user patterns of use and ensure that their information notices and privacy policies comply with GDPR Articles 6, 12 and 13.
Follow the Guidelines and Recommendations of the EDPB (EU data protection board): The CNIL's decision also shows that companies should monitor and comply with the EDPB's regularly-updated guidelines and recommendations.