In its first major enforcement action since the EU’s General Data Protection Regulation (“GDPR”) came into effect on May 25, 2018, the Commission Nationale de l’Informatique et des Libertés (“CNIL”), the French data protection authority, fined Google €50 million for violations of the GDPR. CNIL’s decision focuses on Google’s lack of transparency and consent in the context of creating a new account and configuring a mobile device on the Android operating system. The decision provides some insight into how regulators interpret the key principles of transparency, legal basis, and consent, as well as GDPR’s jurisdictional scope and the potential reach of different regulatory authorities in the EU.
Background on the Complaints
The decision’s underlying complaints were filed by two consumer watchdogs the week the GDPR came into effect. The first was filed on behalf of 12,000 people by La Quadrature du Net (“LQDN”), a French organization that operates worldwide to address consumer, censorship, and surveillance issues. The other was brought on behalf of a single, unnamed Android user by an Austrian nonprofit called nyob (from “None of Your Business”), led by Austrian digital-rights activist Max Schrems. Schrems has made a name for himself by pushing EU regulators to investigate the privacy practices of U.S.-based companies, in particular through his suit against Facebook which made its way through European courts between 2013 and 2015 and led to the invalidation of the Safe Harbor Privacy Principles. (See our Client Memo on the Invalidation of Safe Harbor here, and our follow-up Client Memos on the development of Privacy Shield as a replacement to Safe Harbor here, here, and here.)
The Alleged Violations: Lack of Transparency and Consent
At the heart of CNIL’s decision were Google’s alleged violations of the GDPR’s principles of notice and consent. According to CNIL, Google failed to adequately explain to consumers how their personal data would be used, particularly concerning targeted advertising, and did not obtain unambiguous, specific consent as required by GDPR. In particular:
(1) Notices were not easily accessible. Essential information, such as the purposes of processing, data storage periods, and categories of data used for ad personalization were disseminated across several documents. CNIL found that in some cases, users had to click through multiple pages to find a complete explanation of how their data is collected and used.
(2) Notices were not clear or comprehensive. CNIL alleged that Google often used generic or vague language to explain complex data processing operations, and important descriptions such as the purposes of processing and the categories of data processed. Notices pertaining to retention periods were not provided for some data. Notably, CNIL found that it was not clear from Google’s privacy notices whether the legal basis for processing data for ad personalization was the consent of the user or the legitimate interest of the company.
(4) Consent was neither “specific” nor “unambiguous.” Google used single instances of consent to justify multiple different processing operations, and for some operations relied on pre-checked consent boxes. CNIL noted that GDPR requires consent to be (i) “unambiguous,” i.e., only with a clear affirmative action from the user; and (ii) “specific,” i.e., given distinctly for each purpose.
CNIL’s Jurisdictional Reach
Another important aspect of this action is what it means for the jurisdictional scope of GDPR and the regulators enforcing GDPR. For organizations with an establishment in the EU, the Data Protection Authority (“DPA”) in the country where the organization’s “main establishment” is located usually acts as the “lead authority” in actions related to the cross-border processing of personal data. Google’s European headquarters are located in Ireland, suggesting that the Irish DPA should have taken the lead on any enforcement for violations of GDPR. However, CNIL reasoned (after conferring with relevant authorities, including the Irish DPA) that it had the authority to initiate proceedings in this case because Google’s Irish establishment did not have “decision-making power” over the Android operating systems at issue in the complaint. Those decisions are carried out at Google’s American rather than European headquarters. In other words, the “main establishment” provisions of the GDPR may apply only insofar as that establishment is the primary location where decisions are made about a company’s data processing efforts.
This could have significant implications for non-EU companies. Where the “main establishment” concept is not applicable, authorities in any EU country may have jurisdiction over companies that process the data of individuals who are located within its borders. In this case, CNIL points to the fact that each day thousands of French people create Google accounts from their smartphones. CNIL’s jurisdictional approach indicates that a non-EU company could be at risk of enforcement anywhere it has EU customers, not just where it designates an EU headquarters. Complaints have also been filed against Google in Austria, Germany and Ireland, so it will be interesting to see if authorities in those jurisdictions also pursue infringement proceedings.
GDPR provides for fines of up to 4% of a company’s global, annual turnover (i.e., revenues), so despite the fact that Google could have been liable for substantially more than €50 million, CNIL’s explanation emphasized why the fine was so high, not why it was not higher. Specifically, CNIL said that the fines were justified by the severity of the allegations and that the allegations stemmed from violations of the “essential principles of the GDPR,” transparency and consent. CNIL found that in too many instances, Google was not providing its users with sufficient information to enable them to provide the knowing consent the GDPR requires, did not create mechanisms that demonstrated that consent was freely given, and failed to furnish information that was clear and accessible enough for users to understand. Additionally, CNIL found that these instances were not one-off, but rather a continuing practice.
CNIL also cited to the sheer size and scope of Google’s data processing operations, and particularly the “important place” of Google and the Android operating system in the French market, as well as the fact that Google’s business model is based on personalized advertising. All of these factors suggest that other companies – i.e., companies that do not rely on an advertising-driven business model, companies that do not have a significant market share in search or mobile operating systems, etc. – may not face fines of a similar scale for similar violations.
Moving Forward: More Enforcement?
In addition to the issues of transparency and consent addressed in CNIL’s decision, the nyob and LQDN complaints alleged that Google relied on consent that was not freely given, or in nyob’s words, “forced consent.” In response to CNIL’s decision not to address the issue of freely given consent, LQDN stated that “CNIL is today silent on this subject, and we deeply regret it.” Additionally, while CNIL’s decision was limited to Google’s Android operating system, LQDN’s complaint was leveled against services across Google’s platform, such as YouTube, Gmail, and Google Search. The lasting impact of CNIL’s decision still remains to be seen. Google has announced it plans to appeal the decision, citing its concern “about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond.”
For both nyob and LQDN, the Google complaint represents one of several filed after the GDPR took effect. LQDN has filed additional complaints with CNIL alleging violations by Apple, Facebook, Amazon and Microsoft. For its part, nyob has complaints pending in multiple countries (though it acknowledges that in several instances the Irish authorities will also be involved), namely against Instagram in Belgium, WhatsApp in Germany (Hamburg), and Facebook in Austria. The extent to which CNIL and other national authorities pursue consumer watchdog complaints remains to be seen, but whatever they do will send strong signals to other companies about how these regulators interpret and enforce GDPR.
Click here to download this article.