January 30, 2019 - On January 21, 2019, the French Data Protection Authority ("CNIL") sanctioned Google LLC for violating the General Data Protection Regulation ("GDPR"). The CNIL fined Google €50 million and ordered its decision to be published on the CNIL's website and Légifrance (the official French website for legal information).
 
Background
 
As soon as the GDPR took effect on May 25, 2018, noyb ("None Of Your Business"), a privacy rights organization founded by Max Schrems, filed a complaint against Google with the CNIL. Three days later, on May 28, La Quadrature du Net filed a similar complaint. The complaints alleged that Android users were forced to consent to Google's privacy policy and its terms and conditions; and that Google processed their personal data for ad personalization purposes without a valid legal basis.
 
The CNIL found three GDPR violations:

  • Lack of transparency - the CNIL found that Google's terms of use, privacy policy and options were not easily accessible to users (GDPR Article 12).
  • Inadequate information - the CNIL found that this information was unclear and incomplete (GDPR Article13).
  • Lack of valid consent - the CNIL found that Google did not obtain user consent through a clear affirmative act (GDPR Article 6 and Recital 32).

The CNIL's Decision
 
The CNIL determined that it had jurisdiction to hear the complaints
 
The GDPR provides a "one stop shop" mechanism for companies operating in multiple EU countries. Under this mechanism, the data protection authority in the country where the company has its main EU establishment acts as the lead supervisory authority ("LSA") and assumes primary responsibility for GDPR enforcement.
 
Google argued that the CNIL did not have jurisdiction because Google Ireland Limited is Google's main establishment in the EU. Google pointed out that Google Ireland Limited has been the head office for Google's EU operations since 2003, is in charge of administrative and financial functions for the Europe region, and is the signatory on all contracts with advertising agencies located in the EU.
 
The CNIL rejected Google's argument, noting that the main establishment is the place where the decisions regarding the "why" and "how" of personal data processing take place. The CNIL determined that Google Ireland Limited was not Google's main establishment because Google Ireland Limited has only financial, advertising and commercial functions for the European region, and was not identified in Google's privacy policy as the company deciding the means and purposes of processing personal data in the EU. The CNIL therefore decided that the “one stop shop” mechanism did not apply and concluded that it had jurisdiction to investigate GDPR violations in France.
 
The CNIL held that Google violated (1) the GDPR principle of transparency and (2) the obligation to provide adequate information to users
 
The CNIL next turned to whether Google made adequate information accessible to EU data subjects. The CNIL noted that since a company's ergonomic choices determine the transparency of its information, the CNIL assesses a company's compliance based on the company's actual data processing and its concrete impact on data subjects.
 
Here, the CNIL criticized Google's processing for the following reasons:

  • The CNIL found that Google's user information was scattered across several documents and required activation of multiple buttons or links.
  • For example, in the case of ad personalization and geolocation processing, the CNIL found that users had to multiply actions and combine documentary information to find relevant information and identify the type of personal data collected by Google.
  • The CNIL also noted that at least four clicks were necessary to access information on data retention.
  • The CNIL found that Google's privacy policy failed to explain the purposes of its data processing in sufficient detail. According to the CNIL, users could not measure the extent of the processing or the degree of intrusion into their private lives.
  • The CNIL determined that Google did not clearly indicate the legal basis for processing as Google stated that it relied on user consent but later stated that it relied on Google's legitimate interests.
  • The CNIL found that Google did not provide users with adequate information when they first created their Google account.

The CNIL found that Google failed to obtain valid user consent
 
The CNIL determined that Google did not obtain valid consent because it (1) failed to inform users that it was processing their data for advertisement purposes, (2) relied on pre-ticked boxes, and (3) obtained blanket consent for multiple types of processing.

The CNIL imposed a severe sanction
 
The €50 million sanction against Google is the highest fine that the CNIL has ever imposed, and the first fine that the CNIL has ever imposed that is in the millions. The previous high, imposed against Uber France SAS in December 2018, was €400,000.

Google's Appeal

On January 23, 2019, Google announced that it will appeal the CNIL's decision to the Conseil d' Etat (French Administrative Supreme Court) because of the decision's negative impact on publishers, original content creators, and tech companies.
 
Practical Considerations - Advice to Companies

  • Monitor the CNIL's Enforcement Priorities: Each year, the CNIL publishes its priority issues and investigation strategy. The 2019 priorities are expected to be released after the CNIL's incoming President, Marie-Laure Denis, takes office.
  • Beware of Class Actions: On November 18, 2018, the French Justice System Reform Act introduced a specific class action for violation of French data protection law. The conditions for bringing a class action are restrictive and the remedies are limited. However, once the CNIL receives a complaint, its investigation will not be limited to the violations alleged in the complaint.
  • Test User Patterns: One of the striking things about the CNIL's decision is the extent to which it conducted its own on-line investigation of Google's practices and their impact on users. Companies should regularly test user patterns of use and ensure that their information notices and privacy policies comply with GDPR Articles 6, 12 and 13.
  • Follow the Guidelines and Recommendations of the EDPB (EU data protection board): The CNIL's decision also shows that companies should monitor and comply with the EDPB's regularly-updated guidelines and recommendations.
  • Document the Company's Main Establishment for Purposes of Determining the LSA: One of the reasons the CNIL refused to recognize the Irish data protection authority as the LSA was because Google's privacy policy allegedly failed to identify Google Ireland Limited as its main establishment in the EU for data processing purposes. Companies with EU establishments should identify their main establishment to take advantage of the "one stop shop" mechanism and avoid the risk of multiple investigations.