France: Google LLC loses appeal against French Data Protection Authority decision before France highest administrative court

Denise Lebeau-Marianna, Partner & Alexandre Balducci, Associate – DLA Piper France LLP

Further to two complaints filed by non-governmental organisations None Of Your Business (NOYB) and La Quadrature du Net (LQDN), the French data protection supervisory authority (CNIL) restricted committee imposed on January 21, 2019 a EUR 50 million administrative fine against Google LLC for failure to comply with GDPR[1] requirements on transparency, inadequate information and lack of valid consent for ads personalization[2]. This decision is one of the highest sanctions in Europe to date.

Google LLC appealed the CNIL decision before France highest administrative Court, the Conseil d’État (Council of State).

On June 19, 2020 the Council of State confirmed the CNIL decision and dismissed Google LLC appeal.

It is worth noting that, less than a month after the CNIL decision of January 21, 2019, Google was also sanctioned by the Paris Tribunal de Grande Instance (Paris High Court) on February 12, 2019[3] further to a complaint filed by the consumers defence group UFC – Que Choisir for its data protection practices and on similar grounds, including transparency, inadequate information and lack of valid consent. The UFC – Que Choisir made a voluntary intervention in the proceedings before the Council of State to support the CNIL decision against Google LLC.

Among the various grounds of appeal, Google LLC was arguing that:

  • The CNIL had no jurisdiction since Google LLC’s main establishment in Europe was in Ireland (Google Ireland Limited). Therefore, the Irish Data Protection Authority, acting as Google’s lead authority, had sole jurisdiction to monitor Google’s data processing activities on the European Union territory (1)
  • The CNIL assessment that Google did not collect a valid consent for ads personalization and does not comply with the transparency and information requirements set forth in Article 12 and 13 of the GDPR are not legally grounded (2)
  • The fine of EUR 50 million is disproportionate and does not take into account the criteria set forth in article 83-2 of the GDPR (3)

 

  1. The CNIL has jurisdiction over cross-border processing operations carried out in France by a controller established outside of the European Union

Google LLC argued that the CNIL did not have jurisdiction over its activities in the European Union and should have referred the claims filed by the two non-governmental organizations NOYB and LQDN to the Irish Data Protection Commissioner (Irish DPC), acting as the lead supervisory authority since Google LLC’s “main establishment” in the European Union[4] is Google Ireland Limited.

Google LLC further argued that the CNIL failed to obtain the European Data Protection Board (EDPB) opinion on the competent supervisory authority, in accordance with Article 64 of the GDPR, and did not properly apply the cooperation and consistency mechanisms under Articles 60 et seq. of the GDPR. Google LLC thus required the Council of State to file a preliminary ruling over this specific issue before the European Court of Justice.

The Council of State confirms that the CNIL had jurisdiction over the processing operations carried out by Google LLC and involving the personal data of Android OS users located in France. The Council of State thus rejects Google LLC request for a preliminary ruling, on the grounds that, at the time of the CNIL investigations and decision, Google Ireland Limited was not Google LLC’s main establishment in the European Union and the one stop shop mechanism did not apply, since Google LLC retained at that time the sole decision power and control over the purposes and means of the processing operations carried out with respect to the personal data of Android OS users in the European Union.

  • As a result, in the context of cross-border processing operations carried out in Member States by controllers established outside of the European Union, the fact that such controllers’ affiliates in the European Union have no control or decision powers over such processing operations raises the risk for non-EU controllers to face simultaneous but distinct investigations and sanctions by EU national supervisory authorities and – in fine – to inconsistencies in the enforcement of the GDPR across Member States. Non-EU controllers that wish to use the one stop shop mechanism should thus ensure that their internal organisation and data governance enables the effective designation of a main establishment in the European Union.

 

  1. Confirmation that Google LLC failed to comply with GDPR requirements regarding transparency and collection of a valid consent

The Council of State confirms the CNIL’s analysis with respect to the two following issues: lack of transparency (i) and failure to obtain a valid consent (ii).

i. Lack of Transparency and inadequate information

The CNIL sanctioned Google LLC for failure to comply with the transparency and information requirements under Articles 12 and 13 of the GDPR, despite Google LLC’s argument that it was complying with the EDPB recommendation to provide the mandatory information using a “layered approach”[5].

According to the Council of State, the information provided to data subjects is not only incomplete but also lacks accessibility and clarity, where the processing operations are particularly intrusive due to the volume and nature of personal data involved (including for instance profiling and geolocation).

Indeed, the first layer of information – displayed upon the creation of a Google account by Android OS users and also available thereafter – did not contain all the necessary information enabling data subjects to determine the significance and consequences of the processing operations carried out on their personal data, more particularly regarding purposes thereof, which were not all provided at this stage, but only accessible in the subsequent “layers” of information.

  • Consequently, controllers should not provide an overly general information in the “first layer” of information. Rather, they should make sure to provide the most substantial information regarding the conditions of processing (e.g., the different purposes and extent of the processing), enabling the data subjects to understand the consequence and significance of the processing of their personal data when they will use the services. A more detailed description may then be provided in subsequent layers of information.

In addition, the structure of the information was leading to scatter the relevant information across many documents, thus requiring up to 5 or 6 actions from the user (including back and forth through several documents and hyperlinks) to gather all the information concerning a given processing.

Finally, the information provided in the subsequent “layers” was incomplete, notably regarding data retention terms which were too generic and did not refer specifically to the purposes and categories of data to which they applied.

 

ii. Failure to obtain a valid consent under the GDPR

The CNIL sanctioned Google LLC for failure to obtain a valid consent in accordance with the standard of consent under Articles 4(11), 6 and 7 of the GDPR, as regards the processing operations carried out for purposes of ads personalization.

Google LLC argued that it had obtained data subject consent to the processing operations for purposes of ads personalization. However, the Council of State rejects Google LLC arguments and confirms the the CNIL’s position:

Firstly, the Council of State highlights that Google LLC failed to provide mandatory information to data subjects, notably as regards the different processing purposes, at the time their consent was collected, such information being only available in other documents accessible via hyperlinks which users were not prompted to consult. As a result, Google LLC failed to implement a “specific” and “informed” consent, in contradiction with the GDPR standard of consent under Article 4(11) of the GDPR.

Secondly, the Council of State confirms that Google LLC failed to collect a valid consent regarding the processing operations for purposes of personalized advertising, since such consent was collected by way of a pre-checked checkbox and, thus, did not result from a “clear affirmative action” from the data subject, as required under Article 4(11) of the GDPR. This position is in line with the CNIL historical approach of the topic and the European Court of Justice interpretation provided in its “Planet 49” decision[6], to which the Council of State expressly refers. As a result of the foregoing, the Council of State confirms that Google LLC processing operations for purposes of ads personalization were not based on a valid legal ground.

  • In order to ensure that the consent on which they ground their processing operations complies with the GDPR requirements, controllers should make sure that the first layer of information provided when collecting consent includes the relevant information regarding all the processing purposes and that such consent is specific to one or more determined purposes, resulting from the data subject’s active behaviour.

 

  1. The EUR 50 million of administrative fine is considered proportionate

According to the Council of State ,the EUR 50 million administrative fine issued by the CNIL is proportionate, due to the severity of Google LLC infringements to French Data Protection Act and GDPR requirements, which is characterised by the nature of the infringements to transparency and legal basis requirements, the impact thereof on the data subjects, the continuous infringement over a long period of time and the financial situation of Google LLC.

Though Google considered that substantial efforts have been made to enhance the information provided to data subjects, the high level of the sanction is justified by the fact that such infringement had been continuous over a long period of time and had a substantial impact on a certain number of data subjects.

In addition, the Council of State has highlighted that the CNIL was under no obligation to provide the detail of each and every criteria under Article 83.2 of the GDPR relating to the conditions for imposing administrative fines, on which the authority has grounded its decision, and that there is no provision under the French Code of Relations between the Public and the Administration mandating the CNIL to provide a detailed explanation of the amount of the fines it issues.

In light of the foregoing, the Council of State dismissed Google LLC appeal and rejected its requests to reference for a preliminary ruling by the European Court of Justice, notably regarding the jurisdiction of Member States data protection supervisory authorities and the conditions of validity of consent.

[1] Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data

[2] CNIL, deliberation SAN-2019-001 of January 21, 2019 available https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000038032552&fastReqId=2103387945&fastPos=1

[3] TGI Paris, 12 February 2019, 14/07224, UFC-Que Choisir c. Google, Inc.

[4] As defined under Article 4(16) of the GDPR

[5] European Data Protection Board, Guidelines on Transparency under Regulation 2016/679, revised and adopted on 11 April 2018 (wp260 rev.01)

[6] European Court of Justice, October 1, 2019 (C-673/17), Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. v Planet49 GmbHa