The French data protection authority (‘CNIL’) announced, on 21 January 2019, that it had issued a €50 million fine against Google LLC for compliance violations under the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), further to complaints filed by La Quadrature du Net and none of your business, and subsequent investigations into the processing operations carried out in the context of its Android operating system.
Sonia Cissé, Managing Associate at Linklaters LLP, told DataGuidance, “The first sanctions under the GDPR were expected to happen soon, and all actors were wondering where and how hard the lightning would strike. While many hoped data protection authorities would adopt a conciliatory approach for several more months, it is now clear that the grace period is over […] CNIL wanted to show its claws with this decision, and it will surely make waves among other tech companies.”
CNIL found that Google had failed to demonstrate transparency of information under Articles 12 and 13 of the GDPR, holding that Google failed to provide users with necessary information regarding the processing of their data in a clear and comprehensive way and that such information was scattered across various documents and required the user to cross-check how their data would be used. Moreover, CNIL concluded Google did not have a valid legal basis for the processing of personal data under Article 6 of the GDPR as it had not validly obtained users’ consent to process data for personalised advertising purposes and the consent was not specific to each of the identified processing purposes.
[Although] CNIL recognised the efforts made by Google in recent years […] in CNIL’s view, it was still not enough to meet the GDPR’s enhanced transparency requirements
Ariane Mole, Partner at Bird & Bird LLP, highlighted, “CNIL had previously sanctioned Facebook Inc. and Facebook Ireland in 2017 for only having diluted information so that users were not able to understand what was done with their data. Of course, at that time, CNIL did not have the power of the GDPR at its disposal. It is true that [the fine] represents only a small percentage of Google’s worldwide annual turnover, compared to the possible 4% available penalty under the GDPR. However, […] this does not mean that CNIL should necessarily impose the maximum amount in its first sanction under the GDPR. Also, this decision concerns only the Android operating system and other proceedings are pending.”
Moreover, CNIL noted that in determining the amount of the fine, it considered Google’s economic model, which is partly based on advertisement personalisation and assessed the seriousness of the shortcomings in relation to fundamental principles under the GDPR. Furthermore, CNIL reviewed the potential risks to Google consumers using the Android operating system, and highlighted that it was Google’s responsibility to comply with obligations identified in the decision.
Claire François, Counsel at Hunton Andrews Kurth LLP, concluded, “CNIL has taken a hard stance against Google. [Although] CNIL recognised the efforts made by Google in recent years to increase transparency and ensure users have better control of their personal data, in CNIL’s view, it was still not enough to meet the GDPR’s enhanced transparency requirements […] Data controllers should particularly pay attention to the way they collect users’ consent. It is acceptable to propose a feature whereby users may consent to the processing of their personal data for different purposes, if these purposes have been clearly listed beforehand and users have been given the possibility to make a granular choice for each of them.”
LAUREN SHERLOCK Privacy Analyst