Privacy & Information Security Law Blog

On January 21, 2019, the French Data Protection Authority (the “CNIL”) imposed a fine of €50 million on Google LLC under the EU General Data Protection Regulation (the “GDPR”) for its alleged failure to (1) provide notice in an easily accessible form, using clear and plain language, when users configure their Android mobile device and create a Google account, and (2) obtain users’ valid consent to process their personal data for ad personalization purposes. The CNIL’s enforcement action was the result of collective actions filed by two not-for-profit associations. This fine against Google is the first fine imposed by the CNIL under the GDPR and the highest fine imposed by a supervisory authority within the EU under the GDPR to date.

Background

On May 25, 2018, the Austrian not-for-profit association None Of Your Business (“NOYB”) filed a collective action with the CNIL pursuant to Article 80 of the GDPR, arguing that mobile phone users using Google’s Android operating system are required to accept Google’s privacy policy and general terms of use of Google services in order to use their mobile phones. On May 28, 2018, the French not-for-profit association La Quadrature du Net (“LQDN”) also filed a collective action, arguing that Google did not have a valid legal basis to process users’ personal data for behavioral analysis and targeted advertising purposes.

On June 1, 2018, the CNIL shared these two complaints with other EU data protection supervisory authorities with a view toward designating a lead supervisory authority in accordance with Article 56 of the GDPR. On September 21, 2018, the CNIL nonetheless carried out an online inspection to assess whether the processing activities carried out by Google in the context of the Android operating system complied with the French Data Protection Act and the GDPR.

CNIL’s Jurisdiction over Google LLC’s Processing Activities

Google challenged the jurisdiction of the CNIL arguing that its Irish affiliate, Google Ireland Limited, is Google LLC’s European headquarters and its main establishment for the purposes of the GDPR’s one-stop-shop mechanism and that the complaints should have been handled by the Irish Data Protection Commissioner as Google’s lead supervisory authority.

According to the CNIL, the evidence provided by Google revealed that Google Ireland Limited was simply involved in various activities carried out by Google LLC in the EU and did not have decision-making powers over the personal data processing activities covered in the privacy policy presented to users when creating a Google account during the configuration of their Android mobile phones. Accordingly, the CNIL concluded that Google did not have a main establishment in the EU and that the one-stop-shop mechanism was therefore inapplicable. As a result, the CNIL was competent to evaluate the data processing activities carried out by Google LLC. The CNIL did not consult the European Data Protection Board regarding identification of a possible lead supervisory authority, and noted that the president of the Board similarly did not consider it necessary for the Board to be consulted.

Alleged GDPR Violations

• In its ruling, the CNIL found that Google LLC had failed to (1) comply with the transparency and notice requirements of the GDPR and (2) obtain valid consent from users. With respect to the transparency obligations, the CNIL found that the disclosures provided by Google were not easily accessible for users and that information was spread between several documents. According to the CNIL, these documents included multiple buttons and links on which users had to click to access additional information, requiring sometimes up to 5 or 6 actions to obtain the relevant information about the data processing. In addition, the CNIL found that the description of the purposes (such as providing personalized services in terms of content and ads, ensuring the security of the services and products, and providing and developing services) and the types of data processed for these purposes were too vague. In the CNIL’s view, those descriptions could not allow users to understand the extent of the data processing carried out by Google and its consequences. The CNIL also found that the privacy policy was not clear with respect to the legal basis for processing personal data for ad personalization purposes (i.e., users’ consent). Further, the CNIL found that, for a certain type of data, the information provided did not include a specific retention period or the criteria that would allow users to determine that period.
• With respect to consent, the CNIL found that, in light of the above, users’ consent for ad personalization purposes was not sufficiently informed since the information was diluted across several documents. In addition, the CNIL also found that users’ consent was not specific or unambiguous, as required by the GDPR. The CNIL noted that it was possible for users to modify some of the options associated with their Google account and to configure the display of personalized ads by ticking a box. However, in the CNIL’s view, consent was not unambiguous as the boxes in question were pre-checked by default. In this respect, the CNIL stated that unambiguous consent requires a clear affirmative action from users (e.g., by checking a box that is not pre-checked). Further, the CNIL found that consent was not specific as, before creating an account, users were asked to consent to all the processing operations carried out by Google based on consent, as further described in Google’s privacy policy. The CNIL stated that consent is specific only if it is given distinctly for each purpose.

CNIL’s Sanction

In setting its fine at €50 million, the CNIL considered the following:

• The fact that the alleged violations relate to essential principles of the GDPR and are therefore particularly serious;
• The fact that the alleged violations are still occurring and constitute continuous breaches of the GDPR;
• The importance of the Android operating system in the French market; and
• The extent of the data processing operations covered by the privacy policy presented to users when creating a Google account during the configuration of their Android mobile phone, considering the number of Google services involved and the variety of data processed via, or in relation to, the Android operating system.

The CNIL imposed its fine upon Google LLC but addressed its decision to Google France SARL in order to enforce its decision. Google LLC may appeal this decision within four months before France’s highest Administrative Court (Conseil d’Etat).