On January 21, 2019, the French Data Protection Authority (the “CNIL”) imposed a fine of €50 million on Google LLC under the EU General Data Protection Regulation (the “GDPR”) for its alleged failure to (1) provide notice in an easily accessible form, using clear and plain language, when users configure their Android mobile device and create a Google account, and (2) obtain users’ valid consent to process their personal data for ad personalization purposes. The CNIL’s enforcement action was the result of collective actions filed by two not-for-profit associations. This fine against Google is the first fine imposed by the CNIL under the GDPR and the highest fine imposed by a supervisory authority within the EU under the GDPR to date.
Background
On May 25, 2018, the Austrian not-for-profit association None Of Your Business (“NOYB”) filed a collective action with the CNIL pursuant to Article 80 of the GDPR, arguing that mobile phone users using Google’s Android operating system are required to accept Google’s privacy policy and general terms of use of Google services in order to use their mobile phones. On May 28, 2018, the French not-for-profit association La Quadrature du Net (“LQDN”) also filed a collective action, arguing that Google did not have a valid legal basis to process users’ personal data for behavioral analysis and targeted advertising purposes.
On June 1, 2018, the CNIL shared these two complaints with other EU data protection supervisory authorities with a view toward designating a lead supervisory authority in accordance with Article 56 of the GDPR. On September 21, 2018, the CNIL nonetheless carried out an online inspection to assess whether the processing activities carried out by Google in the context of the Android operating system complied with the French Data Protection Act and the GDPR.
CNIL’s Jurisdiction over Google LLC’s Processing Activities
Google challenged the jurisdiction of the CNIL arguing that its Irish affiliate, Google Ireland Limited, is Google LLC’s European headquarters and its main establishment for the purposes of the GDPR’s one-stop-shop mechanism and that the complaints should have been handled by the Irish Data Protection Commissioner as Google’s lead supervisory authority.
According to the CNIL, the evidence provided by Google revealed that Google Ireland Limited was simply involved in various activities carried out by Google LLC in the EU and did not have decision-making powers over the personal data processing activities covered in the privacy policy presented to users when creating a Google account during the configuration of their Android mobile phones. Accordingly, the CNIL concluded that Google did not have a main establishment in the EU and that the one-stop-shop mechanism was therefore inapplicable. As a result, the CNIL was competent to evaluate the data processing activities carried out by Google LLC. The CNIL did not consult the European Data Protection Board regarding identification of a possible lead supervisory authority, and noted that the president of the Board similarly did not consider it necessary for the Board to be consulted.
Alleged GDPR Violations
- In its ruling, the CNIL found that Google LLC had failed to (1) comply with the transparency and notice requirements of the GDPR and (2) obtain valid consent from users. With respect to the transparency obligations, the CNIL found that the disclosures provided by Google were not easily accessible for users and that information was spread between several documents. According to the CNIL, these documents included multiple buttons and links on which users had to click to access additional information, requiring sometimes up to 5 or 6 actions to obtain the relevant information about the data processing. In addition, the CNIL found that the description of the purposes (such as providing personalized services in terms of content and ads, ensuring the security of the services and products, and providing and developing services) and the types of data processed for these purposes were too vague. In the CNIL’s view, those descriptions could not allow users to understand the extent of the data processing carried out by Google and its consequences. The CNIL also found that the privacy policy was not clear with respect to the legal basis for processing personal data for ad personalization purposes (i.e., users’ consent). Further, the CNIL found that, for a certain type of data, the information provided did not include a specific retention period or the criteria that would allow users to determine that period.
- With respect to consent, the CNIL found that, in light of the above, users’ consent for ad personalization purposes was not sufficiently informed since the information was diluted across several documents. In addition, the CNIL also found that users’ consent was not specific or unambiguous, as required by the GDPR. The CNIL noted that it was possible for users to modify some of the options associated with their Google account and to configure the display of personalized ads by ticking a box. However, in the CNIL’s view, consent was not unambiguous as the boxes in question were pre-checked by default. In this respect, the CNIL stated that unambiguous consent requires a clear affirmative action from users (e.g., by checking a box that is not pre-checked). Further, the CNIL found that consent was not specific as, before creating an account, users were asked to consent to all the processing operations carried out by Google based on consent, as further described in Google’s privacy policy. The CNIL stated that consent is specific only if it is given distinctly for each purpose.
CNIL’s Sanction
In setting its fine at €50 million, the CNIL considered the following:
- The fact that the alleged violations relate to essential principles of the GDPR and are therefore particularly serious;
- The fact that the alleged violations are still occurring and constitute continuous breaches of the GDPR;
- The importance of the Android operating system in the French market; and
- The extent of the data processing operations covered by the privacy policy presented to users when creating a Google account during the configuration of their Android mobile phone, considering the number of Google services involved and the variety of data processed via, or in relation to, the Android operating system.
The CNIL imposed its fine upon Google LLC but addressed its decision to Google France SARL in order to enforce its decision. Google LLC may appeal this decision within four months before France’s highest Administrative Court (Conseil d’Etat).
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code