On June 19, 2020, France’s Highest Administrative Court (“Conseil d’Etat”) upheld the decision of the French Data Protection Authority (the “CNIL”) to impose a €50 million fine on Google LLC (“Google”) under the EU General Data Protection Regulation (the “GDPR”) for its alleged failure to (1) provide notice in an easily accessible form, using clear and plain language, when users configure their Android mobile devices and create Google accounts, and (2) obtain users’ valid consent to process their personal data for ad personalization purposes. Google had appealed this decision before the Conseil d’Etat. Because the Conseil d’Etat hears cases on appeal from the CNIL in both the first and last instances, the CNIL’s fine is now final. This fine against Google was the first fine imposed by the CNIL under the GDPR and is the highest fine imposed by an EU supervisory authority under the GDPR to date.
Background
The CNIL’s enforcement action was the result of collective actions filed in May 2018 by two not-for-profit associations—None Of Your Business (“NOYB”) from Austria and La Quadrature du Net (“LQDN”) from France. On June 1, 2018, the CNIL shared these two complaints with other EU data protection supervisory authorities with a view toward designating a lead supervisory authority in accordance with Article 56 of the GDPR. On September 21, 2018, the CNIL nevertheless undertook an online inspection to assess whether the processing activities carried out by Google in the context of its Android operating system complied with the French Data Protection Act and the GDPR.
As a result of its investigation, the CNIL asserted that Google had failed to (1) comply with the transparency and notice requirements of the GDPR, and (2) obtain valid consent from users. With respect to the transparency and notice requirements, the CNIL believed that the information provided to users when creating a Google account was not always clear and easily accessible. In particular, the CNIL found that essential information about the data processing (such as the purposes, the data retention periods or the types of personal data processed for ad personalization) was spread across several pages, and that users sometimes needed to complete up to six actions to obtain that information. In addition, the CNIL asserted that the description of some information was too vague and did not allow users to understand the extent of the data processing carried out by Google. With respect to consent, the CNIL found that users’ consent was not validly obtained for the processing of their personal data for ad personalization purposes. In particular, the CNIL noted that consent was obtained via a checkbox that was pre-checked by default. The CNIL’s Restricted Committee therefore decided to impose a fine, but addressed its decision to Google France SARL in order to enforce its decision.
On May 16, 2019, Google appealed that decision before the Conseil d’Etat, arguing irregularities on the grounds that (1) Google’s main establishment in the EU is located in Ireland for purposes of the GDPR’s one-stop-shop mechanism, and the Irish Data Protection Commissioner was competent to supervise Google’s EU data processing activities, and (2) the CNIL did not properly apply the GDPR’s cooperation and consistency procedures, particularly with respect to its failure to consult the European Data Protection Board (“EDPB”). Google further argued that the CNIL committed errors of law in (1) finding violations of the GDPR transparency and consent requirements, and (2) imposing a disproportionate fine of €50 million on Google, without taking into account all of the assessment criteria provided for in Article 83(2) of the GDPR. Google also requested that the Conseil d’Etat refer questions to the European Court of Justice for a preliminary ruling and stay the proceedings pending the European Court of Justice’s ruling. The Conseil d’Etat refused to refer questions to the European Court of the Justice and rejected Google’s arguments.
The CNIL’s Jurisdiction over Google’s Processing Activities
The Conseil d’Etat found that, on the date of the CNIL’s decision, Google’s Irish affiliate, Google Ireland Limited, could not be considered Google’s place of central administration in the EU and its main establishment for the purposes of the GDPR’s one-stop-shop mechanism because: (1) it was not established that Google Ireland exercised direction or control over the other European affiliates of Google at that time so that Google Ireland could be considered Google’s place of central administration in the EU, and (2) the investigation showed that Google solely determined the purposes and means of the data processing activities in question and Google Ireland did not have decision-making power in that respect but had taken on new responsibilities concerning the data processing activities after the date of the CNIL’s decision. Accordingly, the Conseil d’Etat concluded that the one-stop-shop mechanism was not applicable on the date of the CNIL’s decision, and the CNIL was competent to investigate the complaints filed by NOYB and LQDN and impose a sanction for Google’s processing of personal data relating to French users of the Android operating system.
Procedural Issues
The Conseil d’Etat further found that, when in June 2018 the CNIL shared NOYB’s and LQDN’s complaints with other EU supervisory authorities with a view toward designating a lead supervisory authority, no other EU supervisory authority chose to refer the matter to the EDPB, nor did they indicate that they had divergent views from those of the CNIL with respect to the absence of a main establishment of Google in the EU. In addition, the Conseil d’Etat noted that in August 2018, the Irish Data Protection Commissioner publicly stated that it was not Google’s lead supervisory authority in the absence of decision-making powers of Google Ireland over the data processing activities carried out by Google in the EU. In the absence of divergent views, and since the investigation of the complaints did not fall within any of the circumstances triggering a referral to the EDPB pursuant to Articles 64 and 65 of the GDPR, the Conseil d’Etat concluded that the CNIL did not need to refer the matter to the EDPB.
GDPR Violations
The Conseil d’Etat confirmed the analysis of the CNIL with respect to both the implementation of the transparency and notice requirements, and obtaining users’ valid consent for the processing of their personal data for ad personalization.
The CNIL’s Sanction
Article 83(2) of the GDPR provides a list of criteria EU supervisory authorities are expected to use in the assessment of whether a fine should be imposed and the amount. In that respect, Google claimed that the CNIL’s decision did not state sufficient reasons because the CNIL did not comment on all of the criteria of Article 83(2) of the GDPR and did not explain how the amount of the fine was calculated.
The Conseil d’Etat rejected those arguments, considering that the requirement that the CNIL’s decisions be duly reasoned implies that the CNIL must explain only the considerations on which its decision is based. According to the Conseil d’Etat, the CNIL did not need to state reasons for its decision with respect to all of the criteria of Article 83(2) of the GDPR. Furthermore, the Conseil d’Etat found that there is no legal provision requiring the CNIL’s Restricted Committee to explain how the fine is calculated, and the CNIL’s decision did not need to provide figures in that respect.
Finally, the Conseil d’Etat found that the fine was not disproportionate given the gravity of the alleged infringements, the fact that they were still occurring at the time of the CNIL’s decision, the length of time they persisted, the maximum limits for fines provided by the GDPR and Google’s financial strength. The Conseil d’Etat concluded that there was no need to refer questions to the European Court of Justice for a preliminary ruling and dismissed Google’s appeal, thereby upholding the CNIL’s decision.
View the Conseil d’Etat’s decision (currently only available in French).
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code