FRANCE: A new phase in European privacy law enforcement – CNIL fined Google LLC 50 million euros!

By Denise Lebeau-Marianna, Caroline Chancé and Alexandre Balducci

 

On 21 January 2019, the restricted committee of the French Data Protection Supervisory Authority (CNIL) fined Google LLC 50 million euros for breaching GDPR for lack of transparency, inadequate information and lack of valid consent regarding personalized advertising. 

This is the first decision rendered by the CNIL under GDPR and the largest penalty pronounced by a EU data protection supervisory authority against a company for violating GDPR.

The decision follows:

  • two collective complaints lodged with the CNIL as soon as the GDPR application was effective on May 2018, respectively by the non-profit European Center for Digital Rights (known as nyob for “none of your business”) and by the French association called “La Quadrature du Net” (LQDN). Both organizations were regrouping the claims of 9974 data subjects. For more information on those complaints, please read our previous post; and
  • an investigation carried out online by the CNIL on September 2018 to check the compliance to the French Data Protection Law of the data processing resulting from the use of Android on mobile equipment.

This decision is interesting on three main aspects: (1) it provides practical guidance on how the Supervisory Authority (SA) construes certain provisions of the GDPR related to the SA competence as well as the application of the cooperation and the consistency procedures; (2) it gives an idea of the SA expectations regarding transparency, proper information and lawful data processing; and (3) it justifies the high level of sanction applied despite the progress made by Google through the revisions of its privacy policy.

 

1. Was the CNIL, the competent SA and did it properly apply the procedures of cooperation and consistency?

a. Was the CNIL the competent SA?

According to Google, the CNIL was not the competent SA. In accordance with the cooperation procedure set forth in Article 60 of the GDPR,  It should have handed over the claims to the Irish Data Protection Commission (the DPC) which is the lead Supervisory Authority for Google, as Google Ireland Limited should be considered as its main establishment in the EU for the processing activities at stake.

The CNIL did not follow the argument. Considering that the data controller of the data processing at stake is Google LLC (and not Google France), it stated that Google Ireland Limited cannot, in fact, be considered as Google LLC’s main establishment in the EU since it did not have any real and effective decision power over the relevant processing activities based on the following factual items: (i) the Irish entity does not determine the purposes and the means of the processing; (ii)  Google’s privacy policy does not make any reference to Google Ireland Limited as being the company making the decisions in this respect; (iii) the Irish entity had not appointed a DPO to oversee such processing; and the Android operating system is solely developed by Google LLC.; (iv) On top of that, Google mentioned in a letter that the transfer of responsibility in this respect from Google LLC to Google Ireland Limited would be completed on 31 January 2019.

Consequently, in the absence of a main establishment in the EU, Google LLC could not benefit from the “one-stop-shop” mechanism, as it was not possible to clearly identify the lead supervisory authority. The CNIL thus confirmed that it was competent pursuant to Article 55 (which sets forth the competence of each SA for the processing carried out on its territory) and Article 58 (which lists the SA investigative powers) of GDPR to process the collective actions filed.

 

b. Did the CNIL properly apply the cooperation and consistency procedures?

Given the uncertainty around the lead Supervisory Authority, Google argued that the CNIL should have submitted the issue to the EDPB and that it should have cooperated with the other SA to process the claims filed and the actions to take.

The CNIL actually shared in accordance with the cooperation procedure, the complaints with the other EU SA immediately upon their receipt, in order to identify their respective competences and whether a lead SA was appointed. None of them, including the Irish Data Protection Commission, claimed to be the lead supervisory authority.

Therefore, the CNIL considers that the procedures of cooperation and consistency have been respected. As there was no main establishment in EU, no lead authority may be appointed. It was thus not necessary to involve the EDPB, despite the pan-European nature of the data processing at hand.

 

2. Why was Google not compliant with GDPR?

The CNIL’s online investigations evidenced that Google fails to comply with two pillars of the GDPR: transparency (a) and lawfulness (b). The scope of the investigation was the processing of personal data by Android as governed by the privacy policy made available to the user when creating an account to configure its mobile equipment.

 

a. Lack of transparency and breach of information requirements

Recognizing the efforts undertaken by Google towards greater transparency and users’ information, as well as providing users with improved control over their personal data, the CNIL nevertheless found that Google’s current information practices do not comply with the GDPR requirements and the EDPB guidelines on transparency, notably for the following reasons:

      i. General lack of accessibility to the information

The CNIL found that Google failed to provide users with accessible, clear and understandable information, thus preventing them from determining, in advance, the extent and consequences of the processing of their personal data. When proceeding with an in-depth analysis of Google’s information practices, the restricted committee applied the EDPB transparency criteria, providing useful guidance for data controllers.

As implemented, Google’s general information architecture results in information being disseminated across several documents that are provided to users at different times. In addition to this fragmented information, users are forced to navigate and cross-check a large amount of information, across complex web notices and policies, several links to click, in order to be able to understand what data is collected, for which purposes it will be processed and for how long it will be retained by Google.

This complex architecture results in a general lack of accessibility, making it hard for users to find and understand the information.

The CNIL illustrates such statement by the conditions of processing for targeted advertising and geolocation where, in both cases, the user needs to carry out several actions (several clicks) and combine various information to know how his/her personal data is processed and how to exercise his/her rights.

      ii. Lack of clear and understandable information

To assess whether the information provided is clear and understandable as required by Article 12 of the GDPR, the CNIL takes into account the nature of the processing in place and its impact on the data subjects.

The CNIL outlines the fact that Google processes a very large amount of personal data through various sources, in the course of providing its services (e.g. messaging services, YouTube, activities generated by the user web browsing, geolocation etc.) which may reveal sensitive data (e.g. center of interests, life style, tastes, opinions, etc.) rendering Google’s data processing activities “massive and intrusive”.

In this respect, the information provided to users does not allow them to understand the full extent and consequences of the processing activities Google carries out on their personal data since:

  • the description of the purposes is too generic (g. “improve the services we provide to our users.); and
  • the description of the data collected is “particularly incomplete and inaccurate”.

Therefore, the first layer of information provided by Google’s “Privacy & Terms” and “Terms of Service” does not provide users with clear and understandable information which would allow the users to measure the effects of the data processing carried out by Google on its privacy, although the CNIL admits that thorough information provided directly within that first layer would be contrary to the transparency requirement due to the number and extent of Google’s data processing activities. The restricted committee adds in this respect that a different presentation of the “Privacy & Terms” could enable more visibility on the characteristics of data combination activities carried out depending on their data processing purpose.

      iii. Lack of precise information regarding legal basis and retention period

In addition to the foregoing, the CNIL also found that Google failed to provide clear and understandable information as regards the legal basis and the duration of the retention of the personal data it processes in the context or customised advertising.

While Google argues that it relies on data subjects’ consent as the exclusive legal basis for such processing at one point of the company’s “Privacy & Terms”, this information is not provided to data subjects in a sufficiently clear and understandable manner. In addition, for other kinds of targeting advertising such as for instance the context of the browsing, Google uses the “controller’s legitimate interests” as a legal basis. Therefore, the drafting of the information provided to users does not enable them to grasp the difference between the category of customised advertising, which are grounded on consent and the other forms of targeting, which are grounded on Google’s legitimate interests.

According to the CNIL, Google fails to provide the retention period applicable to the personal data it stores or even the criteria used to determine said period. Indeed, only a general explanation on the purpose of the retention period is provided without any precise retention term or criteria enabling to determine such period (“information retained for long periods of time for precise reasons”). The restricted committee reminds that it is a mandatory information required by Article 13- 2° (a).

      iv. The tools made available by Google for transparency and information are not sufficient

Finally with respect to transparency and users’ information, even though the restricted committee welcomes the “multiple information tools” implemented by Google that improve the information provided to users during all their account lifetime, it also considers that the information provided does not reach the sufficient level required by Article 13 of the GDPR as they do not provide such information to data subjects, at the time the personal data is collected.

Indeed, the restricted committee draws Google’s attention to the fact that the Google account is set-up by default to enable customized features (such as personalized recommendations and adverts) that are based on pre-ticked boxes. No need to remind that similar practices of “pre-accepted” terms are forbidden by EU and Member states data protection laws.

Having regards to the “confidentiality check-up” “pop-up window” that appears when creating the account and the Dashboard tool provided by Google, all these tools do not provide sufficient information, as they are only available once the user’s account has been created, therefore preventing users from making a choice at this very crucial step of account creation.

In light of the foregoing, the restricted committee of the CNIL considers that Google is in breach of Article 12 and 13 of the GDPR and fails to provide data subjects with sufficient transparency and information.

 

b. Lack of legal basis for processing data for customized advertising

Google argues that it relies on the users’ consent to process their personal data for behavioural targeting purposes. However, the CNIL considers that such consent (requested during the account creation process) has not been obtained validly by Google, on the two main following grounds:

  • The users’ consent is not sufficiently informed, for all the reasons detailed in paragraph (a) above (absence of clear and understandable information).
  • It is ambiguous and not specific enough. In particular, the CNIL notes that:
    • Google uses an opt-out mechanism in the account settings (pre-ticked boxes by default) for the user’s preferences in terms of customised advertising, which is contrary to the express consent requirement under GDPR;
    • If the user wants to change his/her preferences, he/she can only do so by clicking on a specific link “more options”. Otherwise, if the user simply continues the creation of his/her account, his/her consent will be deemed given to Google. Therefore, the user would not consent specifically and distinctively, by means of a positive action, to the processing of his/her personal data for behavioural targeting purposes; and
    • Google requires the users to consent to the privacy policy, the terms of use and to select “create an account” as a whole. By doing so, the condition of specific consent is not met since the user is requested to consent to a set of processing implemented by Google including customised advertising (“all or nothing”).

 

3. Why did the CNIL apply such high level of fine?

The CNIL applied the highest threshold available in the GDPR, ( i.e., 20,000,000 euros or 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher) for the following reasons:

  • According to the CNIL, there is a violation of the basic key data protection principles for (transparency and lawfulness), which must be taken seriously
  • such violations were continued;
  • Taking into account the purpose, the scope and the number of data subjects (massive and intrusive collection of personal data), the violations were severe;
  • The business model of Google is essentially based on the exploitation of personal data of its users, from which it gets benefits; and
  • Google, with its operating system Android, occupies an important  position on the operating system market.

 

The CNIL ruling starts a new phase in enforcing European laws and sends a strong signal to the various organizations processing EU personal data around the world and in particular those having a business model based on the exploitation of personal data. It obliges companies which appoint a Lead Supervisory Authority to be able to demonstrate the involvement of the EU principal establishment in the processing under the scrutiny of an EU SA and to review carefully their policies and dashboard tools to evidence that the principles of transparency, accessibility, clarity and lawfulness are respected. Google has appealed this decision to the Council of State.

This is the largest sanction ever pronounced by an EU data protection SA under GDPR. More of them are expected in the near future as the collective complaints filed by nyob and LQDN did not only target Google, but other Internet giants. As for France, the CNIL also reported one other collective complaint lodged by the English NGO Privacy International against Ad Tech Data Brokers companies  to assess their compliance with GDPR. In addition, the CNIL may also refer cases to itself further to its own investigations.

The DLA Piper Data Privacy Team closely follows the impact of this decision and the other decisions to come in the other EU jurisdictions, on the existing or ongoing compliance processes of organizations.

For more information, please contact Denise Lebeau-Marianna or Caroline Chancé.