CNIL fines Google LLC EUR50 million - Focus on: Jurisdiction and fines under GDPR

The French data protection regulator has slapped Google LLC with a EUR50 million financial penalty under the GDPR. The fine relates to Google LLC’s alleged failure to provide users of its services with adequate and transparent information about how their personal data is used for ad personalisation within its Android operating system and failing to obtain their valid consent to this.

We examine the implications for transparency and consent in our Law-Now: CNIL fines Google LLC EUR50 million – Focus on: Transparency and consent for ad personalisation under GDPR.

The decision has jurisdictional implications for multi-national companies, particularly as regards to which EU regulators they may need to deal with. It also gives some insight into the factors considered when setting fines under the GDPR.

Who made the complaints and what were they about?

Within days of the GDPR applying on 25 May 2018, the Commission Nationale de l'Informatique et des Libertés (the “CNIL”) received group complaints from two consumer / privacy associations, None Of Your Business ((nyob) fronted by Austrian privacy activist Max Schrems), and La Quadrature du Net ((LQDN) backed by 10,000 people to make the complaint).

The complaints alleged that Google LLC (“Google”) did not:

• meet the requirements of the GDPR regarding information and transparency; or
• have a valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purposes.

Why did the CNIL decide to hear the complaints when Google’s headquarters are in Ireland?

Despite Google having its EU headquarters in Ireland, the Irish DPA did not have jurisdiction in this instance because Google’s Irish establishment “did not have a decision-making power on the processing operations” related to its Android operating system (which likely happened in the U.S.). As such, at the relevant time, Google did not have an establishment in the EU.

This took the complaint outside the “one-stop-shop” mechanism, which provides that, where an organisation is set up in the EU, the data protection authority (“DPA”) of the country where its “main establishment” is located shall serve as “lead authority”. As “one-stop-shop” did not apply, the CNIL was competent to take any decision regarding processing operations carried out by Google, which it did after consulting with the other EU DPAs. (The CNIL was of the view that the other data DPAs would also have competence.)

What does the decision mean for organisations in terms of dealing with regulators?

Just because an organisation has an EU headquarters in one Member State, it does not necessarily mean that that DPA will always be their lead supervisory authority for all issues.

In a complex global business with different decision centres for different services, this could mean having to answer to multiple regulators. If the processing decisions for a particular service are made outside the EU, any or all of the EU DPAs may have competence to deal with complaints, depending on where affected data subjects are based. The DPAs will consider individual processing activities and decide case-by-case whether the activities concern a cross-border processing for which a lead supervisory authority should be involved or not.

This decision may accordingly prompt businesses to think about where key strategic decision-making teams are located (although this may also have operational and tax implications).

How was the EUR 50 million fine calculated?

Infringements of the data protection principles and the transparency and consent provisions of the GDPR are punishable by the highest tier of administrative fines of up to the higher of EUR20 million or 4% of worldwide annual turnover in the preceding financial year.

The decision does not go into much detail as to exactly how the EUR50 million figure was arrived at. However, the CNIL indicated that:

“The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent:”

Material factors seemed to be:

• the volume of data and intrusiveness of the processing activities due to their extensive nature
• the fact that the violations are ongoing breaches of the GDPR, not a one-off, time-limited, infringement, and
• the importance and prevalence of the Android operating system in the French market, including in terms of numbers of affected users.

Furthermore, the CNIL took the opportunity to highlight the importance of ad personalisation to Google’s bottom line, specifically pointing out that:

“… the economic model of the company is partly based on the ads personalization. Therefore, it is of its utmost responsibility to comply with the obligations on the matter.”

For a business of Google’s size, the fine levied is nowhere near the GDPR maximum. However, it should be taken as a sign that the regulators will not shy away from exercising their new punchier enforcement powers under the GDPR.

What happens next?

This has been described by the CNIL as an ongoing and repeated breach of the GDPR, meaning that Google could face further enforcement action unless it either brings its practices into line or launches an appeal. Google has announced that it will be appealing the decision.