On January 21, 2019, France’s data protection regulator (CNIL) imposed a €50 million fine on Google for violating core provisions of the European Union General Data Protection Regulation (GDPR). The action was initiated by two nonprofits on behalf of nearly 10,000 individuals. Google has announced that it will appeal the decision before the French Council of State.
- This decision is the largest fine to date issued under the GDPR. It should be seen as a potential bellwether for global tech and digital advertising companies that are likely to be the subject of intense scrutiny by EU regulators.
- The CNIL’s application of the GDPR’s core requirements of transparency and informed consent is not surprising — it is in line with the spirit of the GDPR and recently issued guidance by the European Data Protection Board. Companies must review privacy disclosures and consent mechanisms to ensure they are clear, easily understood, and readily actionable without requiring users to go through a lot of steps. Disclosures should not be generic; instead, they should inform users about product-specific uses of their personal data.
The CNIL’s investigation was triggered by complaints against Google from two nonprofit advocacy organizations (None Of Your Business — led by the privacy activist who successfully challenged the U.S.–EU Safe Harbor framework for cross border transfers — and La Quadrature du Net) for: (i) allegedly forcing Android users to accept Google’s privacy terms or lose access to the services; and (ii) violating the GDPR’s transparency and informed consent requirements.
1. “One-Stop Shop”
As a threshold matter, the CNIL jettisoned Google’s reliance on “one-stop shop” and asserted jurisdiction over both actions. The one-stop shop is a mechanism under the GDPR that empowers the EU privacy regulator of the member state where a company has its “main establishment” to take the lead in compliance oversight, investigations, and enforcement. Google argued that its main establishment was in Ireland, where it has finance, accounting, sales, advertising and other operations and that, therefore, the Irish regulator had jurisdiction over the case as Google’s lead authority. The CNIL rejected this argument. Google now faces potential enforcement actions by other EU member states.
This is a wake-up call for data-driven companies operating across Europe. In order to be able to benefit from the one-stop shop, companies should appropriately empower their affiliates or subsidiaries to make decisions about the processing of EU personal data in the jurisdiction of choice.
2. GDPR Violations — Transparency and Informed Consent
The CNIL next found that Google violated core GDPR transparency and consent requirements. In particular, according to the CNIL:
- Google made it difficult for users to obtain essential information about how their personal data was used in connection with various products and services. Users had to take numerous steps and actions to access this information. For example, while users were offered an opt-out from receiving personalized ads, this option was provided in a pre-checked box and hidden behind a “More options” button.
The CNIL determined that the high fine (50 million euros) was justified by what the CNIL viewed as (i) the severity of the violations, (ii) the pervasiveness of Android in the French market and large amount of personal data involved, including potentially unlimited combinations of user data across multiple services, and (iii) the fact that the violations were not isolated but ongoing.
Please contact us if you would like discuss the impact of the CNIL’s decision on your GDPR compliance program.
Goodwin’s European Privacy & Cybersecurity team Gretchen Scott, partner, Privacy & Cybersecurity practice (London), Federica De Santis, associate, Privacy & Cybersecurity practice (London), and Jacqueline Klosek, counsel, Privacy & Cybersecurity practice (New York).
Goodwin’s Privacy & Cybersecurity Practice is one of the longest-standing privacy practices of any global 50 firm and has been ranked among leading law firms for privacy and cybersecurity, including by Legal 500 and Chambers. It fully integrates and leverages the firm's core strengths, with the group's lawyers coming from the technology, financial institutions, licensing, litigation and regulatory practices. The team has handled hundreds of data breach investigations, litigated landmark privacy cases, and defended clients in investigations and enforcement actions brought by state attorneys general and federal data protection regulators. Goodwin provides clients practical, strategic advice on cutting edge issues involving all aspects of data driven technologies, and information governance and management, including compliance with domestic and international privacy laws, the establishment of comprehensive privacy programs, and privacy due diligence in commercial transactions.