Background. Following a complaint by noyb and a similar complaint by the French NGO “La Quadrature du Net” the CNIL (the French Data Protection Authority) imposed a 50 million euro fine on Google over the company’s opaque privacy policy and lack of legal basis for personalized ads. This is so far the highest fine adopted by a DPA as a final decision. Nevertheless it is well below the maximum fine under GDPR of 4% of the global turnover of Google (this would be € 3.7 billion). The CNIL’s decision focused mainly on two specific GDPR infringements: the lack of sufficient information on to the users and the lack of a legal basis for processing personal data for advertising purposes.
Max Schrems, honorary chairman of noyb: “The amount is tiny for Google, but still an important symbol to show that GDPR fines can reach serious amounts".
The decision was appealed by Google before the French Conseil d’Etat (the highest administrative court) on the grounds that the French DPA doesn’t have jurisdiction over Google’s European headquarters. Google claimed, among others, that the Irish data protection authority should be leading any cases or investigations into its practices. The Conseil d’Etat upholds the decision of the CNIL in all points.
Google cannot choose the Irish Regulator. In today’s decision, the Conseil d’Etat confirmed the sanction and the jurisdiction of the French DPA over Google. Google has tried to flee to Ireland, as the Irish Regulator (“DPC”) has so far not issued a single fine under GDPR against a private actor. Unlike the Irish Regulator, which took more than a 18 months to complete a report on complaints filed against Facebook, Instagram and Whatsapp, the CNIL issued its report within 5 months on 22 October 2018 and issued a final decision within eight months.
Max Schrems: "It is very important that companies like Google cannot simply declare themselves to be 'Irish' to escape the oversight by the privacy regulators."
Fight over national competences. Within the EU, the “main establishment” defines which Member States is in charge of enforcing the GDPR. If there is no “main establishment” any authority can decide themselves. The Conseil d’Etat confirmed that, even if Google’s European headquarters were situated in Ireland, the Irish establishment did not have a decision-making power on the processing operations at stake at the time of the decision. As the “one-stop-shop mechanism” was therefore not applicable, the CNIL was competent to take any decision regarding processing operations carried out by Google, like any other DPA in the EU.
Information not easily accessible. The Conseil d’Etat confirmed CNIL’s assessment: the information in Google's privacy policy was not easily accessible for users. The basic information to be provided is disseminated across too many documents, and only accessible after several steps (sometimes up to 5 or 6 actions). It therefore did not comply with the GDPR.
Information is not clear. The CNIL also concluded that some information is not always clear nor comprehensive. Users cannot realistically understand what Google does with their personal data. For example, the reasons why Google uses data, the legal basis for processing it, or the categories of data processed were found to be too vague.
No valid consent for personalized ads. Whereas Google considers that it obtained user’s consent to process data for ads personalization purposes, the CNIL concluded that such consent was not valid for two reasons:
(1) the consent if not sufficiently informed and can neither be “specific” nor “unambiguous” considering that the information is diluted in several documents.
(2) moreover, the GDPR provides that consent is “specific” only if it is given distinctly for each purpose. Google has however requested a consent to all processing operations.
Consequences. Max Schrems: “This decision requires substantial improvements by Google. Their privacy policy now really needs to make it crystal clear what they do with users' data. Users must also get an option to agree to only some parts of what Google does with their data and refuse other things”.