A record-€50 millions fine for GOOGLE by the CNIL – The French Privacy Protection Authority
On January 21st, the CNIL sanctioned Google with a €50 million fine pursuant to the GDPR for lack of transparency, default of user’s information and a lack of valid consent during processing of personal data for personalized advertising purposes.
This sanction follows class-action-like collective complaint from May 25 and 28 2018, merging claims of thousands of people, brought by the associations “None of Your Business” and “La Quadrature du net”.
Google first discussed CNIL jurisdiction over the case. The CNIL however declared itself competent to handle collective complaints, excluding the application of the “one stop shop” mechanism, which provides that an organization established in the EU must have as its sole interlocutor the authority of the country where its “main establishment” is located.
For the CNIL, GOOGLE, which European headquarter is located in Ireland, did not fulfil the conditions required by the GDPR to be considered as a main establishment because it lacked decision-making competences with regard to the processing at stake. The CNIL concluded that all supervisory authorities in the European Union were then competent to rule on the processing in question.
Following its investigations, the CNIL concluded that GOOGLE was not complying with its duty of transparency and its obligation to have a lawful base for processing relating to the personalization of advertising.
First, article 12 of the GDPR provides that the information given to the data subjects by the data controller must be provided in a “concise, transparent, intelligible and easily accessible" manner, in the purpose of enabling them to understand the scope and the consequences of the processing carried out on their data.
The CNIL noted that the information in this case was not accessible nor clear or comprehensible according to the GDPR for two reasons:
The general information architecture: essential information is only accessible after several steps and was excessively scattered in several documents with buttons and links that must be activated to obtain the information;
The comprehension of the scope of the processing: the processing in this case was particularly massive and intrusive but the information provided does not allow the data subjects to understand the characteristics of this processing (overly generic and vague purposes, lack of retention period, etc.).
Secondly, any data processing must be based on one of the legal base listed restrictively in the article 6 of GDPR, which includes the consent of the data subject.
As such, articles 4 and 7 of the GDPR provide that consent, to be validly given, must be free, specific informed and unambiguous.
The CNIL considers that the consent could be the legal base of the processing in this case for two reasons:
The lack of informed consent: this lake results from the overly “diluted” nature of the essential information which makes it impossible to be aware of the scope of the processing in question;
The lack of the specific and unambiguous characteristics: the procedure chosen by GOOGLE for consent only allows to consent for all purposes as a whole and not separately for each purpose (lake of specificity) and the user does not perform any positive act to give his consent because of a pre-checked box (lack of unambiguous nature).
This is the first sanction pronounced by the CNIL in application of the GDPR.
The amount of this fine results, in particular, from the extent of the processing in this case, the seriousness and the continuous nature of the breaches.
Furthermore, the CNIL still remained well below the 4% cap of worldwide annual revenue set up by the RGPD, which could have theoretically exposed GOOGLE to a sanction of several billions.
Following this decision, GOOGLE decided to transfer a decision-making competence to its Irish headquarter and to appeal this decision in front of the Conseil d’Etat, the French administrative supreme court.
The CNIL also received complaints from several associations against other major digital players such as Facebook and Amazon.
Tags: