Services
People
News and Events
Other
Blogs

CNIL and Google: GDPR Showdown

View profile for Paul Herbert
  • Posted
  • Author

(Note: This article is based on an unofficial translation of CNIL’s judgement, so apologies for any errors or misunderstandings arising from this.)

Introduction

On 21 January 2019 the Commission Nationale de l’informatique et des libertés (France’s Data Protection Authority, otherwise known as CNIL) imposed a fine of €50m against Google for contraventions of the GDPR, specifically for lack of transparency, inadequate information to users and lack of valid consent in relation to its ads personalisation feature. 

This is a landmark decision: the level of fine is unprecedented; it is the first major investigation and adjudication under the GDPR; it is one of the first decisions to involve complaints made by consumer groups on behalf of data subjects; and of course it involves a titan of the technology age, one of the very actors in contemplation in the drafting of the new GDPR regime.

Extracts of the relevant GDPR provisions appear at the end of this article.

Background

This was clearly a much anticipated battle as the first complaint was lodged with CNIL on 25 May 2018, the very date upon which the GDPR took effect throughout the EU.  A second complaint was lodged only three days later on 28 May. The complaints were lodged by two consumer groups “None of Your Business” (“NOYB”) a body set up by Max Schrems, following his earlier campaign against Google, and La Quadrature Du Net (LQDN), a French consumer campaigning group. CNIL’s papers reveal that LQDN and NOYB were mandated by 10,000 of their members to take up the case on their behalves with CNIL.

The respondent was Google LLC, a wholly owned subsidiary of Alphabet, which is the main Google entity in the US. CNIL’s judgement reminds us that Google’s annual turnover now comfortably exceeds $100bn and its global workforce numbers 70,000. In France, Google is represented by Google France Sarl based in Paris, which itself has 600 employees and a turnover of €325m. 

The complaints against Google were threefold, alleging:

(a) a breach of the transparency requirements in Articles 12 and 13 GDPR;

(b) a breach of the information requirements in Articles 12 and 13 GDPR (including in relation to information concerning legitimate interests); and

(c) a breach of Article 7 in relation to the issue of consent.

The Complaints related specifically to the circumstances surrounding the creation of a Google Account using mobile devices incorporating the Android operating system. 

Google raised a number of potential defences and objections, some understandable, others surprising. It firstly resisted the Complaints on jurisdictional grounds, pointing out that Google’s main establishment in the EU is Google Ireland Limited, located in Dublin. Therefore the Data Protection Commission should be regarded as Google’s lead supervisory authority and thus responsible for dealing with these Complaints, rather than CNIL. Students of this subject will be aware of the suggestion that the Irish Data Protection Authority has tended to apply a lighter touch when dealing with data protection matters in comparison with some of its European cousins.

CNIL rejected this contention on the basis that in order for Google Ireland to be regarded as Google’s principal establishment in the EU, that entity must have decision making power with regard to the processing of the personal data in question. “The quality of principal establishment pre-supposes the effective and real exercise of management activities determining the main decisions as to the purposes and means of the processing”. CNIL did not consider that Google Ireland was possessed of those powers. At the relevant time it did not have any decision making power over the purposes and means of the processing described in Google’s Privacy Policy, indeed Google Ireland was not even mentioned in the relevant Privacy Policy as the entity where the main decisions about the purposes and means of processing are made. If Google Ireland could not be considered as the principal place of business of Google in Europe, then CNIL was competent to deal with these complaints under Article 85 GDPR.

Google’s next argument was that CNIL had erred in taking it upon itself to make a judgement around jurisdiction without referring the matter to the European Data Protection Board (“EDPB”) for its considered view. CNIL’s view was that because the lack of a principal establishment in the EU, Google is potentially subject to the control of every European supervisory authority where it is located. It did not consider that the matter was sufficiently doubtful as to require a referral to the EDPB on the question under Article 85. Guidelines issued by the EDPB already made it clear as to how the position should be handled. 

Apart from these jurisdiction arguments, Google also relied on certain procedural arguments. Google doubted the admissibility of the complaints lodged by NOYB and LQDN. This was given short shrift in view of the provisions of Article 80 of the GDPR which recites the right of a data subject to mandate a not for profit body properly constituted to lodge complaints on his or her behalf. LQDN and NOYB clearly fell within the criteria of Article 80.

One of the most surprising arguments relied upon by Google was that the proceedings before CNIL were in contravention of the European Convention on Human Rights, and specifically Google’s right to a fair trial under Article 6. In this respect it relied on the fact that the proceedings were conducted only in French and CNIL had earlier refused to extend the time deadline by which Google was required to produce its initial observations. Google was also unhappy about the limited time CNIL allowed for the production of the company’s second observations. Not surprisingly these arguments were given also short shrift. Since Google is established in France with several hundred employees, it could hardly use linguistic considerations as an objection. CNIL also considered that Google had sufficient material and human resources in France to allow for translation of the documents to English and within a sufficient time frame to allow proper consideration.

Google also relied on several “perimeter issues”. It firstly argued that the Complaints wrongly conflated the Android system and the Google Account opening process while these are actually separate services that implement different processing activities. In particular when configuring a mobile device using the Android operating system, users clearly have the choice of whether or not to create a Google Account at that time and the privacy rules explain how the Google services can be used with or without a Google Account.

CNIL did not challenge the existence of separate services linked to the Android operating system and Google Accounts, but emphasised how the user journey of a mobile customer using Android included the creation of an Account. The Complaints related to the information presented to the user when creating a Google Account using a mobile device utilising Android. The fact that the user may decide not to open a Google Account at that time was really immaterial. CNIL also noted that if the user selects not to open a Google Account he is presented with information stating “Your device works better with a Google Account” and “If you do not have a Google Account you will not be able to perform the following actions or enable the protection features of the device”. Users were therefore clearly directed or at least persuaded to open a Google Account at the point of inception. 

Google also pointed out that the process under scrutiny in the Complaints, namely the opening and creation of a Google Account using Android is something undertaken by only 7% of Google users. This was given little credence by CNIL, who pointed out that the scope and extent of processing personal data which is carried out in respect of that field of users is similar to that which occurs for holders of a Google Account using an ordinary computer device not running Android, ie substantial.

Lastly Google pointed out that the Complaints related to an older version of Android, but this was rejected as irrelevant since it was clear that even in the newer versions of Android, the user’s path when initiating services and opening an account was similar in material respects. 

Substantive Issues

The details of the Complaints in relation to the substantive issues were:

That Google had breached the requirement in Article 12 GDPR to ensure that any information required under Articles 13 and 14 is communicated in a precise, transparent, understandable and easily accessible manner in clear and simple terms, particularly information specifically intended for a child. Under Article 13(1) where the personal data is collected direct from the data subject, these obligations would of course apply at the time the data in question is obtained, specifically the identity and contact details of the controller and the purposes of processing and the legal basis for processing. 

CNIL considered that the information provided by Google did not meet the objectives of accessibility, clarity and understanding and that certain important information was not provided. CNIL relied in particular on the example of a personalisation of advertisements feature. For the ordinary user to understand, it must undertake many actions and combine several resources and documents. Firstly it is required to read the general Privacy Policy and Terms of Use, and then to click on the more options button and then to click on the link to learn more about the personalisation process in order to be completely possessed with the relevant information, the user will have to consult a wide variety of different documents and sources.  The same concerns also applied to the processing of geo-locational data. A total of five actions were necessary to enable the user to access all the information relating to personalisation of ads and six with regards to geo-location. Similar shortcomings were also expressed in relation to retention times for personal data. These evidenced a breach of the information requirements of the GDPR.

Where legitimate interests is relied upon as grounds for processing, precise details of those legitimate interests pursued by the controller need to be explained. 

This lack of clarity applied in relation to the legal basis for the personalisation of ads. In the initial rules of Confidentiality Google states “We ask for your permission to process your information for specific purposes and you are free to revoke your consent at any time. For example we ask for your permission to provide you with personalised services such as advertisements.” The legal basis adopted there clearly appears to be consent. However, Google further adds a reference to legitimate interests, in particular to enable it to carry out marketing actions in order to publicise its services to users and to use advertising in order to be able to provide the large number of services for free. This formulation does not allow the user to understand the distinction between personalised advertising based on consent and personalised advertising based on legitimate interests.

Consent

Consent must satisfy the definition in Article 4(11) and the requirements of Article 7. These require consent to be free, specific, informed and unambiguous with a declaration or other clear and positive act. Google tried to draw a distinction between the requirement for consent in Article 7 and that applicable in respect of Special Category Personal Data in Article 9. The latter refers expressly to the need for “explicit” consent. Google seemed to be suggesting that it met the requirements for “ordinary” consent under Article 7 and that CNIL should not subject it to the stricter test of “explicit” consent under Article 9. CNIL’s analysis of the procedures indicated that the user would not be able to understand the personalisation of advertising on the basis of information provided. They would also have no perception of the nature and volume of the data which is collected to enable these features to comply. Thus the consent was not sufficiently informed. Nor did Google’s procedures ensure that consent was given by a clear and positive act. The user did not have sufficient options when opening an Account to access readily obtainable information which would allow them to make an informed decision about all the different processing options presented to it. Significantly, CNIL also opined that the criteria for consent for special category personal data are no more onerous than those for ordinary personal data. 

Sanction

In considering the level of penalty, CNIL took account of the fact that the requirements for transparency and lawful bases laid down in GDRP are fundamental guarantees enable subjects to keep control of their data. The lack of knowledge of these essential obligations was therefore particularly serious.  Furthermore the transgressions noted to date were ongoing. Also the scale of data and services involved was substantial, involving “Enlightening information about the subjects’ lifestyles, their opinions and social interactions, touching their identity and intimacy and allowing potentially a massive and intrusive processing of user data”. The whole purpose of the GDPR was to strengthen the rights of individuals against unlawful processing of their data in the face of rapid evolution of technology and globalisation. Lastly CNIL noted the substantial benefits which Google derives from the processing of users data. All these factors when taken together suggested that a fine at the level of €50m would be appropriate together with the publication of the sanction and adjudication. This is of course significantly less than 4% of Google’s turnover. 

In Conclusion…

This is a landmark decision involving a huge financial penalty. It entailed a detailed and forensic examination of the processes and policies encountered in the opening of a Google Account by a mobile user, by reference to the requirements of the GDPR. Ironically that is a process which in many cases a typical user completes in a matter of minutes whilst on the hoof. Such users are arguably not particularly bothered about the small print or the niceties of consent vs legitimate interests as a basis for processing. They know that nothing really comes for free on the Internet and that Google extracts its payment in data and targeting.  But such realities matter little where the GDPR is concerned. Google’s processes and policies did not pass muster under the GDPR, whose provisions are the new reality.

Google has the right to appeal CNIL’s position to the Conseil d’Etat within 2 months. However, ordinarily the fine must nevertheless be paid in the meantime. It is hard to imagine this right not being exercised by Google.

This guide is for general information and interest only and should not be relied upon as providing specific legal advice. If you require any further information about the issues raised in this article please contact the author or call 0207 404 0606 and ask to speak to your usual Goodman Derrick contact.