French Regulator Imposes the Highest GDPR Fine to Date on Google

February 06, 2019

The first sanction taken in application of the General Data Protection Regulation (GDPR) in France was issued by the French data protection authority (the "CNIL") on January 21, 2019 against Google LLC.

The highest fine previously issued was against Uber France in December 2018 amounting to €400,000 for a data breach that occurred before May 25, 2018, an amount that seems derisory in comparison to the €50 million public fine in the Google case.

In the Google case, the claim had been brought before the CNIL by two consumer associations. The CNIL ruled in their favor, given what the CNIL viewed as a lack of transparency and information and a lack of valid consent for customized advertisement.

In reaching their decision, the CNIL first assessed whether it had the authority to consider the consumer associations’ claims. Google had designated Ireland’s DPA as its lead supervisory authority under the GDPR’s “one-stop-shop” provisions (Art 56 of the GDPR). The CNIL concluded, however, that Google’s designation of Ireland as its lead regulator was invalid because the company’s operations in Ireland lacked the decision-making authority necessary to qualify as Google’s main establishment in the EU within the meaning of the GDPR. This determination gave the CNIL jurisdiction to reach the merits of the complaining parties’ claims.

On the merits, the CNIL held that data subjects could not easily apprehend the legal basis or the extent of the processing of their data from Google’s descriptions of the processing, and where processing was based on the consent of users (e.g. customized advertisement), such consent was not informed. The authority concluded that the information users needed notably to make a consent determination was not easily accessible – it was spread out in different documents, and users were required to take up to six actions to access the information. The CNIL also concluded that Google’s descriptions of the type of data it was collecting and its purposes for collecting the data were vague, and that information on the storage duration of certain categories of the data being collected were missing.

In addition, users were consenting once for all the purposes and the box relating to advertisement was pre-ticked. The GDPR clearly states that to be valid, the consent should be specific and result from an affirmative action of the user.

In the view of the CNIL, the following factors justified the imposition of a sizable penalty against Google in this case: (i) the breach of what CNIL identified in its opinion as "central" and "essential" provisions of the GDPR (i.e. transparency, information and consent); (ii) its finding that the alleged violations were continuous; (iii) Google's leading position on the French mobile operating system market, which provides the company with access to huge amounts of personal data to collect and process in France; and (iv) the authority's conclusion that, given its business model, Google has a special responsibility to comply with the GDPR’s provisions as they apply to legal authorization for customized user advertisements.

Google has stated that they will appeal the CNIL’s decision. Nevertheless, companies subject to the GDPR who collect and process data from users of their services can and should use the CNIL’s decision in this case as an occasion to assess their own compliance schemes against the Authority’s reasoning:

  • Does our main establishment in the jurisdiction of our lead supervisory authority have real decision making power for data processing operations? Do we have evidence of such decision making power? If not, national supervisory authorities will be competent.
  • Is information easily accessible to users or is it split in several documents that requires up to 5 or 6 actions to access it?
  • Are data subjects well informed? Do we make sure that information is complete and the level of details provided is sufficient for users to fully understand the extent of the processing?
  • Is consent specific and unambiguous? Do we make sure that users consent separately for each purpose? Does consenting require a positive action of the user (e.g. a box to be ticked)?

With a 34% increase in complaints since May 25, the CNIL will no doubt have many opportunities to rule on these issues in the future. Companies should follow their decisions closely, and make adjustments in their plans for compliance accordingly.

Subscribe to Dechert Updates