On 21 January 2019, the CNIL (the French data protection regulator) announced that it had imposed a financial penalty of €50m against Google LLC (Google) for alleged breaches of the General Data Protection Regulation (GDPR). The penalty arose from group complaints from two associations, None Of Your Business and La Quadrature du Net. The two associations alleged that Google did not have valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purposes.

The CNIL's decision to issue such a significant financial penalty sends a clear message that it is prepared to exercise the powers in the GDPR to punish organisations for non-compliance. Where the CNIL has gone, other DPAs may well follow.

So what did Google do or fail to do which resulted in this penalty?

  • In the CNIL's opinion, information about Google's processing was not easily accessible to users as information had to be accessed via multiple documents and via links and buttons. In some cases, users had to take 5 or 6 steps to find the relevant information
  • The CNIL considered that information was not always clear or comprehensive:
    • users were not able to fully understand the extent of the processing operations;
    • the descriptions of the purposes of the processing were too generic and vague as were the categories of the data processed;
    • the legal basis for the processing was not clear; and
    • for some data, Google did not set out the retention period.
  • Google stated that it obtained consent to process for ad personalisation. But the CNIL found that consent was not valid for two reasons:
    • users were not sufficiently informed as information on that processing was "diluted in several documents" so that users could not be fully aware of the entirety of the processing across a range of services, websites and applications;
    • user consent was neither "specific" or "unambiguous". When creating an account, users were required to tick two boxes "I agree to Google's Terms of Services" and "I agree to the processing of my information as described above and further explained in the Privacy Policy". In the opinion of the CNIL, this did not comply with the GDPR. Consent was given by users for all purposes, rather than being distinct for each purpose. Importantly, Google used pre-ticked boxes to obtain consent to personalised ads.

Why was the penalty so high?

The CNIL considered that the penalty was justified:

  • by the severity of the infringements of essential GDPR principles of transparency, information and consent
  • because Google's deprivation of users of the essential guarantees regarding processing operations that reveal important parts of the users' private lives
  • as the processing was based on a "huge amount of data, a wide variety of services and almost unlimited combinations"
  • as the infringements were continuous breaches and are still observed to date
  • due to the important place that the Android system has on the French market
  • as Google's economic model was based partly on ad personaliation.

Google has a right of appeal.

Why did the CNIL take this action not the Irish Data Protection Commissioner?

The CNIL highlighted in its press release that when it initiated its investigation, Google's European establishment in Ireland did not have the necessary decision making power on the processing operations carried out in relation to the Android operating system and the services provided by Google. Consequently, the one-stop shop mechanism did not apply. Therefore, the CNIL was as competent as any other DPA (including the Irish regulator) to investigate the company's processing operations.

What steps should controllers take as a result?

We recommend that all controllers review their processing activities. In particular, controllers should:

  • review the accessibility of processing information to data subjects
  • when using tiered privacy notices ensure that they are clearly and easily navigable by users
  • ensure that the processing information is concise, transparent and intelligible for the intended audience
  • check that information in the notices meets the requirements of the GDPR (in particular Articles 13 and 14)
  • ensure that there are one or more valid and lawful purpose(s) for processing personal data. If relying on consent, ensure that the language and mechanism used meet the definition and conditions for valid consent.

The CNIL's press release is available here and the decision (in French) here.