The CNIL imposes a fine of 50 million euros on Google
CNIL’s decision n° SAN-2019-001, 29 January 2019
By a resounding decision dated 21 January 2019, the CNIL imposed on Google the first real “GDPR” sanction: an administrative fine of 50 million euros. This decision, which was highly publicized and commented on, marks the actual entry into force of the GDPR sanctions.
The sanction imposed by the CNIL followed two “collective” complaints, bringing together a total of 9974 people, which were filed on 25 and 28 May 2018 by associations NOYB (None Of Your Business – an association led by Maximilien Schrems) and La Quadrature du Net. The associations claimed that Google imposed acceptance of its terms of use and privacy policy on users of Android devices, and that it lacked a valid legal basis for behavioral analysis and targeted advertising processing.
The investigation of the two complaints led the CNIL to address Google’s violations more generally, under the specific powers granted to it by the GDPR. The CNIL thus carried out online checks on the Android operating system, before the case was finally referred to the CNIL’s department in charge of imposing sanctions.
Several aspects of this decision deserve to be commented on:
1. The CNIL’s jurisdiction over Google
Before addressing the merits of the case, Google considered that only the Irish supervisory authority (the Data Protection Commissioner) could have jurisdiction over it – as a “lead authority” – because its subsidiary Google Ireland Limited should be considered Google’s “main establishment” in the European Union, within the meaning of the GDPR.
On the contrary, the CNIL considers that, even if Google Ireland Limited centralizes a large part of Google’s economic activities in the European Union, the concept of main establishment involves that such establishment has “decision-making power with regard to the processing of the personal data in question”. However, until 31 January 2019, only Google LLC – the parent company based in the United States – had such power as the sole controller of the processing operations carried out in Europe.
Therefore, the CNIL concluded that Google lacked a main establishment in the European Union. Mechanically, no data protection authority could be qualified as the “lead” authority , so that the CNIL could take charge of the case. In addition, the CNIL had consulted its European counterparts and none of them had designated itself as lead authority.
2. The violations identified by the CNIL
The CNIL’s analysis is based on the study of the different user’s interfaces when creating and using a Google account, as part of the setting-up of a new Android device. The CNIL found two main violations:
· Failure to comply with transparency and information obligations.
For the CNIL, the information provided to Google account’s users about the processing of their personal data is neither sufficiently accessible nor sufficiently clear.
Accessibility of information: the CNIL notes that the information required to be disclosed under Article 13 of the GDPR is excessively scattered in a maze of various policies and conditions applicable to Google accounts. In addition, when the user finally lands on the desired section, he or she still needs to locate the useful information in a large amount of text, and then cross-check and compare the different documents available in order to get a clear idea of the conditions under which his or her data is processed. The CNIL gives two examples here: five successive clicks are required before reaching the sections devoted to personalized advertising or geolocation; four are necessary for retention periods.
Clarity of information: the CNIL states that such an assessment must be made in consideration of the processing operations analyzed. In the present case, the volume of data collected and processed in the context of a multitude of services provided by Google, as well as the nature of some of these processing operations (e.g. geolocation), qualify them as “massive and intrusive”.
Consequently, the CNIL considers that: (i) the purposes displayed are too generic and not clear enough (e.g. “to provide personalized services in terms of content and advertising, […] to provide and develop services”); (ii) the description of the data collected is imprecise and incomplete; and (iii) for personalized advertising, the legal basis used does not seem clearly defined.
More generally, the CNIL criticizes Google for not immediately giving the data subjects, when creating their account, a clear and global vision of the processing operations carried out, allowing them to understand their scope and implications.
· Failure to have a legal basis for personalized advertising
The CNIL considers that consent of the data subjects to the processing of their personal data for advertising purposes is not in accordance with the GDPR, in that it is neither informed, specific nor unambiguous.
Informed consent: here, the CNIL refers to its developments relating to the accessibility and clarity of the information communicated to the data subjects, which are insufficient for the consent given to be valid.
Specific and unambiguous consent: the CNIL notes that, throughout the process of creating a Google account, data subjects are never clearly and specifically asked to agree (or not) to the processing of their data for personalized advertising purposes.
On the contrary, the CNIL indicates that it is necessary to access several “submenus” in order to see the corresponding setting appear, and, above all, that the acceptance box for this type of processing is pre-checked. For the CNIL, consent does not therefore follow from a unambiguous and specific positive act of the data subject, but on the contrary proceeds from a “bundle” and “default” validation of all the processing operations.
The CNIL also indicates, in a rather surprising and unfortunately too elliptical fashion, that the invocation of its 2013 recommendation on cookies is inoperative in order to judge the conformity of consent to the processing operations studied. This may imply that the CNIL wishes to distinguish between consent to the placement of a cookie, and consent to the purposes that the placement of the cookie makes possible to achieve. However, this theoretical distinction seems very difficult to implement in practice and would lead to excessive and regrettable complexity.
For this first major “GDPR” decision, the CNIL exploited the delay experienced by Google, whose European organization did not allow it, at least until 31 January 2019, to have a “main establishment” in the EU. It is likely that this decision will serve as a guide for other international groups wishing to avoid falling under the jurisdiction of the CNIL. In this case, Google has announced that it has lodged an appeal against this decision with the Conseil d’Etat.