CNIL's EUR 50 m fine against Google gives data protections activists an important victory
On 21 January 2019, the Commission Nationale de l’Informatique et des Libertés (CNIL), France's national data supervisory authority, imposed a EUR 50 million fine on GOOGLE LLC for a breach of transparency and information duties towards users of Google Services (Android) and for breaches in its advertising consent practices.
Background
The CNIL decision related to complaints brought jointly by data protection organisations "La Quadrature du Net" and "None Of Your Business". Both complaints were filed with the French supervisory authority immediately after the GDPR came into force. Net activists – including prominent Viennese activist Max Schrems – claimed among other things that services provided by Google pressured users into making what they called "forced acts of consent" on the grounds that unless users gave such consent it was impossible to make full use of the services. The data privacy campaigners accused Google of operating a "take it or leave it" data privacy policy, and of violating the ban on consent bundling enshrined in Art. 7(4) GDPR. “None Of Your Business”, an organisation founded by Schrems, had also filed similar complaints with supervisory authorities in other EU member states against Facebook (Austria), WhatsApp (Germany) and Instagram (Belgium).
Competence of the CNIL
The CNIL began by confirming that it was competent to rule on this matter. This was necessary because Article 56 GDPR states that in EU cross-border matters competence must lie with the supervisory authority of the main establishment ("one-stop shop"). However, having conferred with the other national supervisory authorities – particularly in Ireland, the seat of Google's European operations – the CNIL concluded that Google did not have a "main establishment" in a member state within the meaning of the GDPR. Under the regulation, the "main establishment" is in principle situated at the location of the head office, and data processing is controlled from that location. In the case of Google, the decision-making powers were located at the company headquarters in the USA rather than in Ireland. Hence, under Article 58 GDPR, the CNIL was authorised to rule on the lawfulness of Google's data processing activities.
Violation of transparency and information duties
First, the CNIL ascertained that the information provided by Google on how data is processed was not sufficiently accessible. Essential information such as the purpose of processing, data storage periods and categories of personal data used for personalising ads is spread across a number of different documents. An investigation determined that to obtain access to all their information, users must first click on separate buttons and links, and in some cases make five or six intermediary steps.
The CNIL also complained that the information provided by Google lacked clarity and was hard to understand. It also criticised the lack of transparency on the extent of data processing, which in light of the number of services offered is extremely intrusive to users. In particular, the CNIL considered that the description of the data processing purposes and the types of data collected for those purposes were inconsistent with transparency requirements. Finally, it found that Google fell short of the legal requirements in that ad personalisation processing must be subject to the user's consent. Furthermore, Google did not state how long it kept certain datasets before erasing them.
Acts of consent for personalised ads not valid
The CNIL also held that Google has no legal basis for personalising ads because under data protection law the acts of consent it provides to users are invalid for a number of reasons.
Google does not provide users with sufficient explanatory information on consent ("consentement pas suffisament éclairé"), largely because information is contained in a number of documents, thereby diluting the relevant information, particularly regarding the extent of processing activities spread across services such as Google Search, YouTube, Google Home, Google Maps, Google Playstore or Google Photos.
The CNIL also observed that the acts of consent were not sufficiently specific ("spécifique") or unambiguous ("univoque"). Although new users are theoretically able to change various parameters related to personalised ads by clicking on the "More options" ("plus d'options") button before creating an account, this still constituted a breach of the GDPR because the user has to take positive action and the box for showing personalised advertising has been pre-ticked as the default setting. Under the GDPR, consent is only unambiguously granted if users confirm their choice by actively clicking a box, which is empty by default. Furthermore, the CNIL also found that users are induced to sign one single blanket act of consent for all purposes pursued by Google. However, consent must be granted separately for each individual purpose because under data protection law, the storage, use and processing of personal data must relate to a specific purpose.
A victory against "forced consent"?
The central complaint by activists was the practice by Google and other data giants of obtaining blanket acts of consent from new users when they register. When the GDPR came into force, users of such services were suddenly faced with large numbers of consent boxes, which needed to be ticked for users to be able to continue using those services. Activists condemned this practice as "forced consent".
Thus, a central element of the "None Of Your Business" complaint was the absence of voluntary consent for which Article 7(4) GDPR and Recital 43 impose strict requirements. The activists argued that consent could not be voluntary if the use of a service is conditional upon giving consent for data processing activities that are not necessary to the service ("Conditionnalité de l’accès au Service"). They argue that Google operates by the "all or nothing principle" ("Tout ou rien"), demanding that its users consent to terms of confidentiality and use for all services (Google Search, Google Home, Google Maps, etc.) even if the user has no intention of actually using any of them. Hence, this consent was not granted voluntarily, nor was it related to a specific purpose.
Despite the fact that the CNIL made no mention of "forced consent" ("consentement forcé"), it shared the view that the Google "consent boxes" induce the user to grant consent "en bloc" for all the purposes pursued by Google. The French data protection authority ultimately determined that the process lacks proper information as a prerequisite for informed consent, purpose limitation and unambiguous consent. Highlighting the principle of purpose limitation, the CNIL emphasised that consent can only be valid if it is granted separately for each individual purpose, which had been contested in this case by the data protection activists.
Even if the CNIL ultimately had ruled that these practices were unlawful, they were not labelled "forced acts of consent" as activists hoped. Nevertheless, the CNIL determined that Google's breaches in their entirety warranted a substantial fine under Article 83 GDPR.
Fine and reaction of data protection activists
In its decision of 21 January 2019 the CNIL imposed a EUR 50 million fine on Google. The CNIL justified its decision and fine by the gravity of the violations to data protection law, which undermined the GDPR's fundamental principles of transparency, information and consent. These violations deprive Google users of fundamental guarantees related to processing of their personal data. In particular, the violations were not isolated cases, but on-going infringements of GDPR requirements and, in the light of the Android system's significance in the French market, were and are of great importance.
The CNIL fine is hefty, but still well below the maximum. The complainants, invoking Article 83(5) a) GDPR, which provides for a maximum of 4% of total worldwide annual turnover, pointed out in their complaint that this could mean a fine of up to USD 3.79 billion for Google. On publication of the decision, data protection activist Max Schrems called the penalty imposed by the CNIL a record fine in the cause of data protection. Schrems added, however, that it was little more than a "warning shot" in view of Google's overall turnover. Responding to the decision, a Google spokesperson said that the organisation was seeking to comply with the high transparency and consent standards of the GDPR.
The CNIL decision, which applied a comparatively strict interpretation of the provisions of the GDPR and their interpretation by the EU data protection authority, will remind companies of the importance of transparency and information duties and crucially the principle of purpose limitation. Tech companies, particularly those engaged in personalised ads, which fail to comply with these and other fundamental data protection principles, are likely to face heavy fines, including sanctions from the supervisory authorities of other member states.
For more information on the CNIL's decision and the GDPR, please contact one of our resident experts.
