GDPR Enforcement Update: French Data Protection Authority hits Google with a Historic 50 Million Euro Penalty
The CNIL’s opinion provides an often overlooked aspect of the GDPR—claim and enforcement procedure—by addressing how the GDPR determines which EU Data Protection Authority (“DPA”) is the most appropriate to serve as the “lead authority.” For organizations established in the EU, the GDPR states that the DPA of the country where the organizations’ main establishment is located should be the “lead authority” (the “One-stop-shop Rule”) for purposes of investigating alleged violations and enforcing the GDPR. Google argued the CNIL was the inappropriate DPA to investigate the complaints because Google’s European headquarters are based in Ireland. And thus, under the One-stop-shop Rule, the Irish DPA should have been the “lead authority,” not the CNIL. The CNIL disagreed with Google, noting that the GDPR, similar to the Federal Rules of Civil Procedure, seeks to prevent forum shopping and allowing Google to “pick its DPA” based on its self-designated European headquarters was akin to forum shopping. Instead, the CNIL determined that “in order to qualify as a principal establishment, the institution concerned must have decision-making power with regard to the processing of personal data in question,” concluding that when the CNIL began its investigation, Google’s European headquarters “did not have a decision-making power on the processing operations carried out in the context of the Android operating system and the services provided by GOOGLE LLC, in relation to the creation of an account during the configuration of a mobile phone.” Because the One-stop-shop Rule did not apply, the CNIL, and the other DPAs, had the authority to investigate and render a decision on Google’s processing operations.
The CNIL conducted online inspections to verify Google’s data processing operations complied with the GDPR by analyzing users’ browsing patterns and access to certain documents when creating a Google account during the configuration of Android-based mobile devices. The CNIL implemented the guidelines established by the European Data Protection Board (“EDPB”) in its evaluation; specifically, the EDPB’s “Guidelines on Transparency.” The CNIL’s findings provide insight into how DPAs may interpret the GDPR. First, the CNIL analyzed whether Google’s Policies and the methodology used to present users with the opportunity to review such Policies (the “Methodology”) complied with Articles 12 (Transparency) and 13 (Information to be Provided)—they were not. While the CNIL noted that the Policies contained the required information, “the information that must be disclosed to individuals pursuant to [Article] 13 [was] excessively scattered in several documents,” and “[s]uch an ergonomic choice leads to a fragmentation of information thus forcing the user to multiply the clicks necessary to access the different documents.” The CNIL used the following scenario to illustrate the overall lack of accessibility of Google’s Policies:
The CNIL found that Google’s Policies did not comply with the GDPR’s transparency requirements because the information provided to users about how their data was collected, used, and processed was generic, “particularly imprecise and incomplete,” and did not allow users to sufficiently understand the consequences of allowing Google to process their data. Ultimately, the CNIL explained that the genericity and lack of accessibility of the Policies combined with Google’s “massive and intrusive” data processing operations, rendered users unable to measure the potential effect of Google’s data processing operations on their private lives, let alone provide valid consent to such data processing operations.
Next, the CNIL assessed whether Google’s proffered means of lawful processing—consent—complied with the GDPR. Under the GDPR, “[c]onsent is presumed not to have been freely given if separate consent cannot be given to different personal data processing operations,” meaning “data controller[s] . . . seek[ing] consent for various specific purposes should provide separate consent for each purpose so that users can give specific consent for specific purposes.” Google utilized an opt-out method and a series of checkboxes to obtain consent after users had already accepted Google’s Policies and established a Google Account. The CNIL concluded that the timing and opt-out method did not constitute valid consent because the consent was “not given through a positive act by which the person consent[ed] specifically and distinctly” to Google’s data processing operations. Regarding Google’s use of checkboxes, the CNIL stated “ticking the boxes I accept the conditions of use of Google and I accept that my information is used as described below above and detailed in the privacy rules, and then selecting Create Account—cannot be considered as the expression of a valid consent.”