On 21 January 2019, French data protection authority Commission Nationale de l’Informatique et des Libertés (CNIL) imposed a penalty in amount of €50 million on Google’s U.S. headquarters – Google LLC – for infringements of General Data Protection Regulation (GDPR). Specifically, for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.
History of case
On 25 and 28 May 2018 – just after GDPR came in full force – CNIL received group complaints from the associations None Of Your Business (founded by privacy activist Max Schrems) and La Quadrature du Net. La Quadrature du Net was mandated by about 10 000 people to refer the matter to the CNIL. The associations claimed that Google did not have a valid legal basis to process the personal data of its users, particularly for ads personalization purposes. The complaints focused specifically on Android’s set-up process where users need to create a Google account in order to use their device.
When CNIL started investigating the complaints, Google insisted that CNIL has no authority over it as Google’s European headquarters are lacated in Ireland and Irish data protection authority (DPA) should be leading the case in accordance with the “one-stop-shop mechanism” – GDPR provisions on international cooperation of EU data protection authorities. Therefore, on 1st June 2018, the CNIL sent these two complaints to its European counterparts to assess if it is competent to deal with them.
Communication with the other authorities, in particular with the Irish DPA, revealed that Google’s Irish establishment did not have a decision-making power on the processing operations carried out in the context of the mobile operating system Android and the services provided by Google LLC in relation to the creation of an account during the configuration of a mobile phone.
In particular, the CNIL pointed to the fact that Google Ireland Limited was not mentioned in the privacy notice as the decision-making entity for processing activities related to Android users, and that it did not develop the Android operating system (Google LLC did). Besides, Google itself confirmed that it was in the process of “transferring responsibility” from Google LLC to Google Ireland Limited for the processing operations covered, and that this process would only be finalized by 31 January 2019. Therefore CNIL decided that the “one-stop-shop mechanism” is not applicable and CNIL (like any other EU data protection authority in given circumstances) is competent to take any decision regarding processing operations carried out by Google LLC.
In September 2018 CNIL carried out online inspections to verify the compliance of Google’s processing operations with the French Data Protection Act and the GDPR. In particular CNIL analysed the browsing pattern of a user and the documents user can have access, when creating a Google account during the configuration of a mobile equipment using Android.
On 21 January 2019, the CNIL’s Restricted Committee – which is responsible for imposing sanctions – imposed on Google LLC a fine as it observed two types of GDPR infringements:
- violation of Google’s transparency obligations under the GDPR (specifically of Articles 12 and 13 of GDPR), and
- the lack of a legal basis for processing personal data (a requirement under Article 6 of GDPR) for advertising purposes.
CNIL found that Google LLC has breached following GDPR requirements.
1. Inefficient transparency and information
To proceed with an in-depth analysis of Google’s information practices, CNIL applied the transparency criteria established by Working Party 29 and endorsed by EDPB. CNIL found that the information Google provides to its users on its data processing activities is not easily accessible, sufficiently clear and intelligible. That prevents users from determining, in advance, the extent and consequences of the processing of their personal data. Failure to provide data subjects with sufficient transparency and information is a breach of Article 12 and 13 of the GDPR.
Insufficient accessibility to the information
Information about Google’s data processing activities is disseminated across several documents that are provided to users at different times. In addition to this fragmented information, in order to be able to understand what data is collected, for which purposes and for how long Google will process their data, users are forced to navigate and cross-check a large amount of information, across complex web notices and policies, clicking many links. The CNIL assessed that, in the case of targeted ad processing, five different user actions were required in order to access the full set of information that applies to the processing of the user’s data.
While generally DPAs encourage use of “layered” approach in providing information to individuals, CNIL notes that Google uses information “layers” in a way that adds complexity to information rather than making it easier to understand. This complexity results in a general lack of accessibility, making it hard for users to find and understand the information.
Lack of clear and understandable information on data and purposes
The CNIL points out that in the course of providing its services Google processes a very large amount of personal data that is gathered through various sources, and such processing may reveal sensitive data (e.g. political and other interests and opinions, life style, tastes etc.). That makes Google’s data processing activities “massive and intrusive”. Taking into account the nature of the processing and its impact on the data subjects, the first layer of information provided by Google’s “Privacy & Terms” and “Terms of Service” is not sufficient for users to understand the full extent and consequences of the processing activities Google carries out on their personal data:
- the description of the purposes is too generic (g. “improve the services we provide to our users”); and
- the description of the data collected is “particularly incomplete and inaccurate”.
However, the CNIL admits that thorough information provided directly within that first layer would be contrary to the transparency requirement due to the number and extent of Google’s data processing activities. In this respect a different presentation of the “Privacy & Terms” could enable more visibility on the characteristics of data combination activities carried out depending on their data processing purpose.
Unclear information regarding legal basis for targeted advertising
Google does not provide information about legal basis for processing of data for targeted advertising in a sufficiently clear and understandable way – while Google argues that it relies on data subjects’ consent as the exclusive legal basis for such processing, for other kinds of targeted advertising it indicates legitimate interests as a legal basis. Therefore, users are not able to understand the difference between the category of customised advertising, which are based on customer’s consent and the other forms of targeting, which are based on Google’s legitimate interests.
Missing information on retention period
Google does not provide period for which it stores data or even the criteria used to determine such period, as required by Article 13(2)(a) of the GDPR. Indeed, only a general explanation on the purpose of the retention period is provided without any precise retention term or criteria enabling to determine such period.
Google’s tools for transparency and information are not sufficient
CNIL welcomed the tools Google implemented to improve user’s access to information about their data. However, they are only available once the user’s account has been created and does not provide such information to data subjects at the time the personal data is collected, as required by Article 13 of the GDPR. Google account is set-up by default to enable customized features (such as personalized recommendations and adverts) that are based on pre-ticked boxes, preventing users from making a choice during account creation.
2. Lack of legal basis for ads personalization
Google states that it relies on the users’ consent to process their personal data for ads personalization purposes. However, such consent is not valid for following reasons:
- The users’ consent is not sufficiently informed (for the reasons detailed above).
- It is neither unambiguous, nor specific, as required by GDPR:
- Google uses pre-ticked check-boxes by default for the user’s preferences.
- When creating account, user has to specifically click on “more options” to access preferences. Otherwise, user’s consent will be deemed given to Google. Therefore, the user would not consent with a clear affirmative action.
Fine applied to Google for GDPR breaches
For violations of GDPR the CNIL imposed on Google LLC a financial penalty of €50 million. This is the first time that the CNIL applies the new sanction limits provided by the GDPR. CNIL justifies the decided amount and the publicity of the fine by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.
Despite the measures implemented by Google (documentation and configuration tools), the infringements are substantial as they can impact important parts of individual’s private life since they involve a huge amount of data, a wide variety of services and almost unlimited possible combinations. Moreover, the violations is not a one-off, time-limited, infringement but are continuous breaches of the Regulation as they are still observed to date.
Finally, Android operating system has important place on the French market, impacting millions of users. Furthermore, CNIL points out that the economic model of the company is partly based on the ads personalization. Therefore, it is of its utmost responsibility to comply with the obligations on the matter.
Takeaways from case
The case raises a number of important privacy issues.
Even companies not based in EU must follow GDPR
CNIL fined Google LLC – a company not based in EU. That means that even companies which are not based in Europe must follow the tough new rules if they want their sites and services to be available to European users. CNIL’s decision is strong indication that being located outside EU is not an obstacle for data protection authorities to go after them in case of substantial breaches.
‘One stop shop’ and main establishment
The decision dismisses the application of the GDPR’s one-stop-shop by holding that Google Ireland Limited is not Google’s main establishment in the EU (which would make the Irish data protection authority the competent authority, instead of the CNIL). CNIL decided that Google has no main establishment in the EU because:
- the decisions over the processing of data relating to Android and Google accounts are made by Google’s headquarters in the US (i.e. Google LLC), not by Google Ireland Limited,
- Google Ireland Limited has not appointed a data protection officer to oversee Google’s processing operations in the EU.
Consequently, in the absence of a main establishment in the EU, Google LLC could not benefit from the “one-stop-shop” mechanism, as it was not possible to clearly identify the lead supervisory authority. With no main establishment in the EU, Google LLC could potentially be subject to enforcement by any supervisory authority in the EU.
The decision demonstrates a willingness by regulators to interpret the “main establishment” concept restrictively, which, for non-EU headquartered companies, could render the one-stop-shop redundant and expose them to enforcement by several authorities. Moreover, there can also be different controllers for different processing activities within the same group and thus different lead authorities, which can make “one-stop-shop” mechanism very complex.
This decision will require companies to review information and the manner they provide they provide it to data subjects. It emphasizes a need for notices that are user-friendly, comprehensive and exhaustive at the same time. That is hard task for organisations processing large amount of personal data for different purposes, as it also requires thorough and centralised knowledge about organisations processing activities. At the same time it is evident that DPAs recognises tools and mechanisms that empowers users and make access to their data and information easier and more convenient.
Consent and legal basis for processing
Companies have to be clear what exactly are legal basis for processing of data. Mixing them and being unclear may lead to violation of GDPR. And where legal grounds for data processing is consent, strict rules of GDPR has to be followed. CNIL’s decision re-emphasis that under the GDPR consent must be “given by a clear affirmative act establishing a freely given, specific, informed and ambiguous indication” of the individual’s will. Pre-ticked boxes are not considered as a valid consent. Also, consent has to be collected for each of processing activities, rather than one consent for all of them.
While many hoped data protection authorities would adopt a conciliatory approach for several more months, it is now clear that the grace period is over and fines will follow. The fine also indicates that €20 million is not the limit and threshold 4 % of the total worldwide annual turnover can be applied instead to big companies.
The CNIL observed following reasons that were considered calculating the fine:
- the nature of the infringement: Google violated violation of the basic key data protection principles (transparency and lawfulness);
- the duration of the infringement: violations were continued;
- the scope of the infringement: Google, with its operating system Android, occupies an important position on the operating system market, and
- taking into account the purpose of processing, the scope of data and the number of affected data subjects (massive and intrusive collection of personal data), violations were severe;
- the gain obtained from the infringement: the business model of Google is essentially based on the exploitation of personal data of its users, from which it gets benefits.
Unfortunately, no more specific indication are given as to how the fine was calculated, nor as to how importance of each of the cited factors. Given Google’s France’s “limited” turn-over, the fine is clearly based on the turn-over of Alphabet, the holding company.
As one of the first and loudest cases, this case may set a “benchmark” for further regulatory fines for GDPR breaches.
Plans to implement GDPR
Just like most companies whose business models rely on the processing of EU citizens’ data, Google made efforts to increase data usage transparency and improve privacy settings access for the GDPR’s arrival last year. Apparently company hasn’t done enough to meet expectations of its users and GDPR.
CNIL recognised the efforts undertaken by Google towards greater transparency and users’ information, as well as providing users with improved control over their personal data. Nevertheless, the CNIL found that Google’s current information practices do not comply with the basic GDPR requirements. That means that efforts made to comply with GDPR will have a positive influence on data protection authority, however, basic principles shall be met.
Associations can complain, too
Both complaints that initiated CNIL’s investigations were brought by two associations, not data subjects themselves. Google contested the right of associations to complain for GDPR breaches on behalf of customers, as this is not provided in procedural laws. However, CNIL pointed out that Article 80 of GDPR provides such right and obligation for institutions to accept complaints without additional formalities. Even more – such associations may receive compensation for breach of its members’ privacy rights.
It should be noted that associations are more qualified to prepare legally sound complaints that individuals. And that means we will see more and more cases initiated by associations.
Appeal of CNIL’s decision
The CNIL’s decision is now open for appeal before the French Council of State for a period of 4 months. Google has already publicly announced its intention to appeal the CNIL’s decision. Company issued a statement saying:“We’ve worked hard to create a GDPR consent process for personalised ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing. [..] We’re also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond. For all these reasons, we’ve now decided to appeal.”
More fines from other EU DPA’s?
The fine only relates to the French processing (given that the CNIL is not competent in these circumstances to impose fines in respect of infringements in other member states), and it remains to be seen if any other DPA will seek to impose fines for their jurisdiction. It is already evident that CNIL is not the only EU’s data protection authority aiming at Google for GDPR breaches. Recently UK’s watchdog the Information Commissioner’s Office (ICO) announced that it also looking into whether Google has violated the General Data Protection Regulation (GDPR). ICO said it is working with other regulators around Europe to consider its next possible steps after a number of complaints had been raised.