€50 million fine for Google confirmed by French Court
Max Schrems, honorary chairman of noyb: “The amount is tiny for Google, but still an important symbol to show that GDPR fines can reach serious amounts".
The decision was appealed by Google before the French Conseil d’Etat (the highest administrative court) on the grounds that the French DPA doesn’t have jurisdiction over Google’s European headquarters. Google claimed, among others, that the Irish data protection authority should be leading any cases or investigations into its practices. The Conseil d’Etat upholds the decision of the CNIL in all points.
Google cannot choose the Irish Regulator. In today’s decision, the Conseil d’Etat confirmed the sanction and the jurisdiction of the French DPA over Google. Google has tried to flee to Ireland, as the Irish Regulator (“DPC”) has so far not issued a single fine under GDPR against a private actor. Unlike the Irish Regulator, which took more than a 18 months to complete a report on complaints filed against Facebook, Instagram and Whatsapp, the CNIL issued its report within 5 months on 22 October 2018 and issued a final decision within eight months.
Max Schrems: "It is very important that companies like Google cannot simply declare themselves to be 'Irish' to escape the oversight by the privacy regulators."
Fight over national competences. Within the EU, the “main establishment” defines which Member States is in charge of enforcing the GDPR. If there is no “main establishment” any authority can decide themselves. The Conseil d’Etat confirmed that, even if Google’s European headquarters were situated in Ireland, the Irish establishment did not have a decision-making power on the processing operations at stake at the time of the decision. As the “one-stop-shop mechanism” was therefore not applicable, the CNIL was competent to take any decision regarding processing operations carried out by Google, like any other DPA in the EU.
Information is not clear. The CNIL also concluded that some information is not always clear nor comprehensive. Users cannot realistically understand what Google does with their personal data. For example, the reasons why Google uses data, the legal basis for processing it, or the categories of data processed were found to be too vague.
No valid consent for personalized ads. Whereas Google considers that it obtained user’s consent to process data for ads personalization purposes, the CNIL concluded that such consent was not valid for two reasons:
(1) the consent if not sufficiently informed and can neither be “specific” nor “unambiguous” considering that the information is diluted in several documents.
(2) moreover, the GDPR provides that consent is “specific” only if it is given distinctly for each purpose. Google has however requested a consent to all processing operations.