Skip to Content

GDPR Enforcement Update: French Data Protection Authority hits Google with a Historic 50 Million Euro Penalty

on Friday, 25 January 2019 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

On January 21, 2019, the French data protection authority (“CNIL”) imposed a massive financial penalty of 50 Million euros (approximately 56.8 Million U.S. dollars) against Google for violating provisions of the General Data Protection Regulation (“GDPR”). The penalty is the largest to date assessed under the GDPR and indicates the severity of noncompliance. According to the CNIL, the penalty is the result of complaints filed—one of which was filed on May 25, 2018, the day the GDPR went into effect—by privacy-advocate associations None of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”). The complaints alleged, among other things, that: (1) Google’s privacy policy and general terms and conditions (the “Policies”) violated the GDPR because users were forced to consent to these policies in order to use their Android devices and such forced acceptance did not constitute valid consent under the GDPR, and (2) by merely listing several bases for lawful processing, Google’s privacy policy failed to support exact data processing operations with a specific legal basis as required under Articles 6 and 9 of the GDPR. The CNIL began investigating the allegations made in the complaints on June 1, 2018.

Although Google will undoubtedly appeal and fight the CNIL’s penalty, this historic enforcement action and the CNIL’s opinion provides valuable insight into the following: (1) how DPAs may interpret and enforce the GDPR, (2) GDPR enforcement procedure regarding forum and jurisdiction, (3) the persuasive authority of EDPB guidance, (4) guidance regarding the transparency and accessibility of privacy policies and terms of use, and (5) guidance regarding consent and lawful bases for data processing operations.

The CNIL’s opinion provides an often overlooked aspect of the GDPR—claim and enforcement procedure—by addressing how the GDPR determines which EU Data Protection Authority (“DPA”) is the most appropriate to serve as the “lead authority.” For organizations established in the EU, the GDPR states that the DPA of the country where the organizations’ main establishment is located should be the “lead authority” (the “One-stop-shop Rule”) for purposes of investigating alleged violations and enforcing the GDPR. Google argued the CNIL was the inappropriate DPA to investigate the complaints because Google’s European headquarters are based in Ireland. And thus, under the One-stop-shop Rule, the Irish DPA should have been the “lead authority,” not the CNIL. The CNIL disagreed with Google, noting that the GDPR, similar to the Federal Rules of Civil Procedure, seeks to prevent forum shopping and allowing Google to “pick its DPA” based on its self-designated European headquarters was akin to forum shopping. Instead, the CNIL determined that “in order to qualify as a principal establishment, the institution concerned must have decision-making power with regard to the processing of personal data in question,” concluding that when the CNIL began its investigation, Google’s European headquarters “did not have a decision-making power on the processing operations carried out in the context of the Android operating system and the services provided by GOOGLE LLC, in relation to the creation of an account during the configuration of a mobile phone.” Because the One-stop-shop Rule did not apply, the CNIL, and the other DPAs, had the authority to investigate and render a decision on Google’s processing operations.

The CNIL conducted online inspections to verify Google’s data processing operations complied with the GDPR by analyzing users’ browsing patterns and access to certain documents when creating a Google account during the configuration of Android-based mobile devices. The CNIL implemented the guidelines established by the European Data Protection Board (“EDPB”) in its evaluation; specifically, the EDPB’s “Guidelines on Transparency.” The CNIL’s findings provide insight into how DPAs may interpret the GDPR. First, the CNIL analyzed whether Google’s Policies and the methodology used to present users with the opportunity to review such Policies (the “Methodology”) complied with Articles 12 (Transparency) and 13 (Information to be Provided)—they were not. While the CNIL noted that the Policies contained the required information, “the information that must be disclosed to individuals pursuant to [Article] 13 [was] excessively scattered in several documents,” and “[s]uch an ergonomic choice leads to a fragmentation of information thus forcing the user to multiply the clicks necessary to access the different documents.” The CNIL used the following scenario to illustrate the overall lack of accessibility of Google’s Policies:

[I]n terms of geolocation data processing, [CNIL’s investigation] notes that the same course devoid of any intuitive character is required of the user with regard to information relating to geolocation data. The user will have to complete the following steps: Review the Privacy Policy and Terms of Service, click More Options, and then click the Learn More link to view the Location History page and view the displayed text. However, as this text is only a short description of the processing, the user will need to go to the Privacy Policy document and access the Information about your location to access the rest of the information.

The CNIL found that Google’s Policies did not comply with the GDPR’s transparency requirements because the information provided to users about how their data was collected, used, and processed was generic, “particularly imprecise and incomplete,” and did not allow users to sufficiently understand the consequences of allowing Google to process their data. Ultimately, the CNIL explained that the genericity and lack of accessibility of the Policies combined with Google’s “massive and intrusive” data processing operations, rendered users unable to measure the potential effect of Google’s data processing operations on their private lives, let alone provide valid consent to such data processing operations.

Next, the CNIL assessed whether Google’s proffered means of lawful processing—consent—complied with the GDPR. Under the GDPR, “[c]onsent is presumed not to have been freely given if separate consent cannot be given to different personal data processing operations,” meaning “data controller[s] . . . seek[ing] consent for various specific purposes should provide separate consent for each purpose so that users can give specific consent for specific purposes.” Google utilized an opt-out method and a series of checkboxes to obtain consent after users had already accepted Google’s Policies and established a Google Account. The CNIL concluded that the timing and opt-out method did not constitute valid consent because the consent was “not given through a positive act by which the person consent[ed] specifically and distinctly” to Google’s data processing operations. Regarding Google’s use of checkboxes, the CNIL stated “ticking the boxes I accept the conditions of use of Google and I accept that my information is used as described below above and detailed in the privacy rules, and then selecting Create Account—cannot be considered as the expression of a valid consent.”

Sean T. Nakamoto

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design