Alert January 28, 2019

French Privacy Regulator Imposes Record Fine on Google for GDPR Violations

On January 21, 2019, France’s data protection regulator (CNIL) imposed a €50 million fine on Google for violating core provisions of the European Union General Data Protection Regulation (GDPR). The action was initiated by two nonprofits on behalf of nearly 10,000 individuals. Google has announced that it will appeal the decision before the French Council of State.

Key Takeaways

  • This decision is the largest fine to date issued under the GDPR. It should be seen as a potential bellwether for global tech and digital advertising companies that are likely to be the subject of intense scrutiny by EU regulators.
  • Businesses may not “forum shop” for a lead privacy regulator in a jurisdiction that is perceived to be more business-friendly. Companies must be thoughtful and strategic about the location of actual decision-making activities involving EU personal data. Companies must support their chosen “main establishment” through appropriate records and other evidence and ensure that public statements and privacy policy disclosures do not inadvertently undermine their ability to benefit from the one-stop shop (explained below).
  • The CNIL’s application of the GDPR’s core requirements of transparency and informed consent is not surprising — it is in line with the spirit of the GDPR and recently issued guidance by the European Data Protection Board. Companies must review privacy disclosures and consent mechanisms to ensure they are clear, easily understood, and readily actionable without requiring users to go through a lot of steps. Disclosures should not be generic; instead, they should inform users about product-specific uses of their personal data.

Background

The CNIL’s investigation was triggered by complaints against Google from two nonprofit advocacy organizations (None Of Your Business — led by the privacy activist who successfully challenged the U.S.–EU Safe Harbor framework for cross border transfers — and La Quadrature du Net) for: (i) allegedly forcing Android users to accept Google’s privacy terms or lose access to the services; and (ii) violating the GDPR’s transparency and informed consent requirements.

Decision

1. “One-Stop Shop”

As a threshold matter, the CNIL jettisoned Google’s reliance on “one-stop shop” and asserted jurisdiction over both actions. The one-stop shop is a mechanism under the GDPR that empowers the EU privacy regulator of the member state where a company has its “main establishment” to take the lead in compliance oversight, investigations, and enforcement. Google argued that its main establishment was in Ireland, where it has finance, accounting, sales, advertising and other operations and that, therefore, the Irish regulator had jurisdiction over the case as Google’s lead authority. The CNIL rejected this argument. Google now faces potential enforcement actions by other EU member states. 

The CNIL’s assertion of jurisdiction was based on several findings, including that: (i) Google U.S. (not Google Ireland) had decision-making authority over Android users’ data processing activities, consistent with the disclosures made by Google in its privacy policy; and (ii) Google effectively acknowledged that Google Ireland was not its “main establishment” when it recently publicly stated its intent to transfer decision-making power over relevant data processing activities to Google Ireland.

This is a wake-up call for data-driven companies operating across Europe. In order to be able to benefit from the one-stop shop, companies should appropriately empower their affiliates or subsidiaries to make decisions about the processing of EU personal data in the jurisdiction of choice.

2. GDPR Violations — Transparency and Informed Consent

The CNIL next found that Google violated core GDPR transparency and consent requirements. In particular, according to the CNIL:

  • Google made it difficult for users to obtain essential information about how their personal data was used in connection with various products and services. Users had to take numerous steps and actions to access this information. For example, while users were offered an opt-out from receiving personalized ads, this option was provided in a pre-checked box and hidden behind a “More options” button.
  • The GDPR requires that users be provided with information about their personal data that is “concise, intelligible and easily accessible.” The CNIL concluded that Google failed to meet this standard because Google’s privacy disclosures were too generic, vague, inaccessible, and incomplete.  Therefore, it was difficult for users to understand the impact of consenting to Google’s use of their data, including in relation to serving targeted ads across multiple services (e.g., YouTube, Google Maps, Google Play). Before creating an account, users were prompted to “agree” to Google’s privacy policy, but no granular, product- and use-specific disclosures were provided and no specific consent was sought. Users were essentially forced to accept all or no use of their personal data instead of being able to consent for the data processing associated with specific uses.

FINE

The CNIL determined that the high fine (50 million euros) was justified by what the CNIL viewed as (i) the severity of the violations, (ii) the pervasiveness of Android in the French market and large amount of personal data involved, including potentially unlimited combinations of user data across multiple services, and (iii) the fact that the violations were not isolated but ongoing.

Please contact us if you would like discuss the impact of the CNIL’s decision on your GDPR compliance program.

 

 

Contacts:

Goodwin’s European Privacy & Cybersecurity team includes Karen L. Neuman, partner and privacy lead, Privacy & Cybersecurity practice (Washington), Gretchen Scott, partner, Privacy & Cybersecurity practice (London), Federica De Santis, associate, Privacy & Cybersecurity practice (London), and Jacqueline Klosek, counsel, Privacy & Cybersecurity practice (New York).

To learn more about how Goodwin can help your company address privacy and cybersecurity, contact Brenda R. Sharton, partner and Chair of the Privacy & Cybersecurity practice.

Goodwin’s Privacy & Cybersecurity Practice is one of the longest-standing privacy practices of any global 50 firm and has been ranked among leading law firms for privacy and cybersecurity, including by Legal 500 and Chambers. It fully integrates and leverages the firm's core strengths, with the group's lawyers coming from the technology, financial institutions, licensing, litigation and regulatory practices. The team has handled hundreds of data breach investigations, litigated landmark privacy cases, and defended clients in investigations and enforcement actions brought by state attorneys general and federal data protection regulators. Goodwin provides clients practical, strategic advice on cutting edge issues involving all aspects of data driven technologies, and information governance and management, including compliance with domestic and international privacy laws, the establishment of comprehensive privacy programs, and privacy due diligence in commercial transactions.