The Commission nationale de l’informatique et des libertés (CNIL), France’s data protection authority (DPA), has levied a €50 million fine against Google for allegedly violating the GDPR’s transparency, information, and consent requirements in deploying targeted advertisements. The fine—the largest fine under GDPR to date and the first involving a U.S. technology company—was issued on January 21, 2019, and sheds additional light on the CNIL’s GDPR enforcement priorities and practices.
THE CNIL’S FINDINGS
- Jurisdiction and Inapplicability of One-Stop-Shop Principle
- The CNIL determined that it has jurisdiction to handle these complaints and that the GDPR’s “one-stop-shop” principle is inapplicable in this instance. The CNIL found that although Google maintains its EU headquarters in Ireland, from which it operates a host of services (finance and accounting, sales of advertisement, contracting, etc.), the Irish establishment “did not have a decision-making power on the processing operations” related to its Android operating system and thus could not be considered Google’s “main establishment” in the EU. The CNIL also indicated that it immediately communicated the complaints to other DPAs through the European information exchange system in order to identify a lead DPA, and that no DPA or the president of the European Data Protection Board (EDPB) deemed it necessary to bring the case before the EDPB (which would have occurred if the identification of a lead DPA or the CNIL’s jurisdiction were challenged).
- GDPR Violations
- Transparency and Information. The CNIL highlighted an overall lack of accessibility to essential information. In particular, the CNIL found that essential information, such as processing purposes, retention periods, and categories of personal data used for ad personalization are excessively spread across several documents, requiring the user to click several buttons and links to access additional information.
- Further, the CNIL found that, in several instances, Google’s wording did not meet the threshold of being adequately “clear” and “comprehensible”—a threshold that the CNIL suggested must be analyzed by taking into account the nature of the processing and its impact on individuals. The CNIL considered Google’s processing to be “massive and intrusive,” given the high volume, sources (e.g., via the many Google services, including through telephone and email), variety (i.e., supplied by users directly; generated by their activity, e.g., IP address; or derived from their activity, e.g., points of interest), and type of data involved (e.g., geolocation and viewed content) and the data’s capacity to reveal with a high degree of precision many of the most intimate aspects of a person’s life, such as living habits, tastes, contacts, opinions, and movements.
- Given its assessment of the magnitude of Google’s processing, the CNIL found that: (1) the purposes of the processing are described in “too generic” a manner, and that categories of data are “incomplete and imprecise”; (2) it is unclear that the legal basis of processing for ad personalization is consent, not Google’s legitimate interest; and (3) in the case of some data, no retention period is provided.
- Finally, although Google implemented various tools to provide additional information, including a pop-up window prior to Google account creation, a dashboard, and a privacy check-up, those tools did not offer sufficient information or were not provided prior to account creation.
- Consent. The CNIL found that Google’s consent to processing for ad personalization purposes is inadequate for two reasons:
- (1) It is not sufficiently informed. In addition to being diluted across several documents, as discussed above, the CNIL found that the information does not indicate the extent of services, websites, and apps (and thus the volume of data) that are implicated—from YouTube to Google Maps to Google Photos.
- (2) Consent is neither “specific” nor “unambiguous.” While users can configure the display of personalized advertisements via an optional “More Options” link prior to their Google account creation, users who do not exercise the option essentially miss the opportunity to provide consent. Additionally, various options, including the option to display personalized advertisements, are checked by default. The CNIL found that a user’s consent therefore does not reflect her/his clear affirmative action as required by the GDPR. It should be noted that although the CNIL did recognize that it may be possible to offer functionalities enabling users to “accept all” or “refuse all” processing purposes, such functionality must also include the possibility to identify, and consent to, each specific purpose.
The CNIL indicated that it relied on four factors in particular in issuing its €50 million fine (and ordering the publication of the decision):
- The particular nature of the infringements relating to lawfulness (GDPR Art. 6) and transparency (GDPR Arts. 12 and 13), both of which are core principles of the GDPR and listed as triggering the highest fining threshold (of 4% of global annual turnover) in the GDPR (GDPR Art. 83.5).
- The fact that the infringements were continuous and ongoing after the GDPR’s effective date (as opposed to a one-off infringement).
- The processing purposes, their scope, and the number of individuals concerned.
- Although the CNIL’s investigation focused on users who created a Google account upon setting up their Android device, it pointed out that this alone amounts to a significant number of individuals.
- The CNIL contends that the processing is vast in light of Android’s predominant position in the French smartphone market and the proportion of smartphone users in France.
- The processing is also vast given the number of Google services involved (more than twenty), the variety and type of data involved, and the multiple technological processes that enable Google to combine and analyze data from various services, applications, or external sources. Those processes undeniably have a “multiplying effect” on the precise knowledge that the company has on its users. The company has means for potentially unlimited combinations enabling a massive and intrusive use of user data.
- The infringements must be put into perspective with the economic model of Google, in particular the processing of user data for advertising purposes via Android. Because of the advantages that Google obtains from that processing, the CNIL found that the company must be particularly cautious about its responsibilities under the GDPR.
It is further noteworthy that the CNIL does not substantiate how it got to the amount of €50 million. Although the CNIL explicitly indicates that the infringements at hand would be subject to the GDPR’s 4% maximum fine and in that regard also refers to Google’s 2017 global revenue of €96 billion, it is clear that the CNIL did not impose the maximum fine. However, other than indicating that a fine of €50 million seems “justified,” the CNIL provides no reasoning as to how it got to any starting amount or even how the factors referred to above influenced the ultimate amount. As we have indicated before (see our article on the GDPR’s sanctions framework and a comparison with competition fines here), it would be highly recommended for DPAs (or even the EDPB at the EU level) to issue penalty guidelines that provide for internal guidance on how to determine the amount of fines (similar to what the European Commission has done for antitrust fines).
Finally, the CNIL did not provide Google with a prior notice (mise en demeure) to correct the infringements it identified (although Google was provided with a report explaining alleged infringements and communicated its observations to the CNIL ahead of its decision).
Google now has four months from its notification of the decision by the CNIL to appeal the decision before the French Council of State.
- This case represents the CNIL’s first published enforcement action explicitly under the GDPR and the largest fine it has ever imposed. It also highlights the CNIL’s scrutiny of notice and consent in online advertising, which had been building up in the past months, as evidenced by other recent CNIL decisions.
- The decision also underscores the need to make notice and consent intuitive for users, for example via clear and easily accessible policies. Although layered notices are helpful, they should not lead to having to sift through multiple disparate documents to find relevant information. Similarly, notice language that is too vague or generic, or implied consent resulting from a user’s inaction or pre-ticked settings, are likely to be scrutinized by DPAs in the case of an inquiry. As notice and consent need to be published, and relate to core GDPR principles, it does not come as a surprise that DPAs use these mechanisms as a first indicator of a company’s compliance.
- The one-stop-shop principle does not seem to be a one-off assessment that any company does (or can do) simply by referring to its EU headquarters. Rather, DPAs will look at individual processing activities and determine on a case-by-case basis whether the activities concern a cross-border processing for which a lead DPA should be involved or not.
The CNIL’s press release can be found here (in English). The CNIL’s full decision can be found here (in French).
Rob Famigletti, a Privacy Analyst in the firm’s New York office, assisted in the preparation of this client alert.