The first huge GDPR penalty of 50 million euros for GOOGLE imposed by French DPA CNIL on January 21, 2019

An interesting decision of the French Data Protection Authority (“ DPA”) CNIL.( See CNIL.fr) The French CNIL is de first supervisory authority imposing a huge penalty based on the GDPR! In the UBER case the Dutch DPA en the UK ICO based their penaltys still on the older national privacy legislation and those penaltys were much lower £385,000 in the UK and €600,000 in the Netherlands. That was about a data breach, which was kept secret for one year by Uber. On 25 and 28 May 2018, the National Data Protection Commission (CNIL) received group complaints from the associations None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”). LQDN was mandated by 10 000 people to refer the matter to the CNIL. The associations reproach GOOGLE for not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalization purposes.

“One-stop-shop mechanism” was not applicable

The GDPR (art. 55) establishes a “one-stop-shop mechanism” which provides that an organization set up in the European Union shall have only one interlocutor, which is the Data Protection Authority (“DPA”) of the country where its “main establishment” is located. This authority serves as “lead authority”. In the Uber case for example the Dutch DPA had the lead. In this case, the discussions with the other authorities, in particular with the Irish DPA, where GOOGLE’s European headquarters are situated, did not allow to consider that GOOGLE had a main establishment in the European Union. When the CNIL initiated proceedings, the Irish establishment did not have a decision-making power on the processing operations carried out in the context of the operating system Android and the services provided by GOOGLE LLC, in relation to the creation of an account during the configuration of a mobile phone. As the “one-stop-shop mechanism” was not applicable, the CNIL was competent to take any decision regarding processing operations carried out by GOOGLE LLC, as were the other DPA’s as well.

Two types of breaches

The CNIL observed two types of breaches of the GDPR.

A. Violation of the obligations of transparency and information

The information provided by GOOGLE is not easily accessible for users. The relevant essential information is accessible after several steps only, implying sometimes up to 5 or 6 actions. The information is not always clear nor comprehensive. Users are not able to fully understand the extent of the processing operations carried out by GOOGLE. The purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes. The information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company. The restricted committee notices that the information about the retention period is not provided for some data.

B. Violation of the obligation to have a legal basis for ads personalization processing

The users’ consent is not sufficiently informed. The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent. For example, in the section “Ads Personalization”, it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, You tube, Google home, Google maps, Playstore, Google pictures…) and therefore of the amount of data processed and combined. The collected consent is neither “specific” nor “unambiguous”. When an account is created, the user can admittedly modify some options associated to the account by clicking on the button « More options », accessible above the button « Create Account ». It is notably possible to configure the display of personalized ads. That does however not mean that the GDPR is respected. The user not only has to click on the button “More options” to access the configuration, but the display of the ads personalization is moreover pre-ticked. However, as provided by the GDPR, consent is “unambiguous” only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance). Before creating an account, the user is asked to tick the boxes « I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy» in order to create the account. Therefore, the user gives his or her consent in full, for all the processing operations purposes carried out by GOOGLE based on this consent (ads personalization, speech recognition, etc.). However, the GDPR provides that the consent is “specific” only if it is given distinctly for each purpose.

The penalty imposed: why 50 million euros?

The penalty is justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent. Despite the measures implemented by GOOGLE (documentation and configuration tools), the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations. The users have to be enabled to control their data and therefore have to be sufficiently informed before giving consent. The violations are continuous breaches of the Regulation as they are still observed up to now, It is not a one-off, time-limited, infringement. The important place that the operating system Android has on the French market, thousands of French people create, every day, a GOOGLE account when using their smartphone. The economic model of the company is partly based on the ads personalization. Therefore, it is of its utmost responsibility to comply with the obligations on the matter. A very clear and soon warning for he whole market I think. This is what could be expected taking the GDPR seriously, no warnings and in this case immediate penaltys. A serious impact for the business models of the Googles in this world.