+44 (0)20 7404 0606
CNIL and Google: GDPR Showdown
- AuthorPaul Herbert
(Note: This article is based on an unofficial translation of CNIL’s judgement, so apologies for any errors or misunderstandings arising from this.)
On 21 January 2019 the Commission Nationale de l’informatique et des libertés (France’s Data Protection Authority, otherwise known as CNIL) imposed a fine of €50m against Google for contraventions of the GDPR, specifically for lack of transparency, inadequate information to users and lack of valid consent in relation to its ads personalisation feature.
This is a landmark decision: the level of fine is unprecedented; it is the first major investigation and adjudication under the GDPR; it is one of the first decisions to involve complaints made by consumer groups on behalf of data subjects; and of course it involves a titan of the technology age, one of the very actors in contemplation in the drafting of the new GDPR regime.
Extracts of the relevant GDPR provisions appear at the end of this article.
This was clearly a much anticipated battle as the first complaint was lodged with CNIL on 25 May 2018, the very date upon which the GDPR took effect throughout the EU. A second complaint was lodged only three days later on 28 May. The complaints were lodged by two consumer groups “None of Your Business” (“NOYB”) a body set up by Max Schrems, following his earlier campaign against Google, and La Quadrature Du Net (LQDN), a French consumer campaigning group. CNIL’s papers reveal that LQDN and NOYB were mandated by 10,000 of their members to take up the case on their behalves with CNIL.
The respondent was Google LLC, a wholly owned subsidiary of Alphabet, which is the main Google entity in the US. CNIL’s judgement reminds us that Google’s annual turnover now comfortably exceeds $100bn and its global workforce numbers 70,000. In France, Google is represented by Google France Sarl based in Paris, which itself has 600 employees and a turnover of €325m.
The complaints against Google were threefold, alleging:
(a) a breach of the transparency requirements in Articles 12 and 13 GDPR;
(b) a breach of the information requirements in Articles 12 and 13 GDPR (including in relation to information concerning legitimate interests); and
(c) a breach of Article 7 in relation to the issue of consent.
The Complaints related specifically to the circumstances surrounding the creation of a Google Account using mobile devices incorporating the Android operating system.
Google raised a number of potential defences and objections, some understandable, others surprising. It firstly resisted the Complaints on jurisdictional grounds, pointing out that Google’s main establishment in the EU is Google Ireland Limited, located in Dublin. Therefore the Data Protection Commission should be regarded as Google’s lead supervisory authority and thus responsible for dealing with these Complaints, rather than CNIL. Students of this subject will be aware of the suggestion that the Irish Data Protection Authority has tended to apply a lighter touch when dealing with data protection matters in comparison with some of its European cousins.
Google’s next argument was that CNIL had erred in taking it upon itself to make a judgement around jurisdiction without referring the matter to the European Data Protection Board (“EDPB”) for its considered view. CNIL’s view was that because the lack of a principal establishment in the EU, Google is potentially subject to the control of every European supervisory authority where it is located. It did not consider that the matter was sufficiently doubtful as to require a referral to the EDPB on the question under Article 85. Guidelines issued by the EDPB already made it clear as to how the position should be handled.
Apart from these jurisdiction arguments, Google also relied on certain procedural arguments. Google doubted the admissibility of the complaints lodged by NOYB and LQDN. This was given short shrift in view of the provisions of Article 80 of the GDPR which recites the right of a data subject to mandate a not for profit body properly constituted to lodge complaints on his or her behalf. LQDN and NOYB clearly fell within the criteria of Article 80.
One of the most surprising arguments relied upon by Google was that the proceedings before CNIL were in contravention of the European Convention on Human Rights, and specifically Google’s right to a fair trial under Article 6. In this respect it relied on the fact that the proceedings were conducted only in French and CNIL had earlier refused to extend the time deadline by which Google was required to produce its initial observations. Google was also unhappy about the limited time CNIL allowed for the production of the company’s second observations. Not surprisingly these arguments were given also short shrift. Since Google is established in France with several hundred employees, it could hardly use linguistic considerations as an objection. CNIL also considered that Google had sufficient material and human resources in France to allow for translation of the documents to English and within a sufficient time frame to allow proper consideration.
Google also relied on several “perimeter issues”. It firstly argued that the Complaints wrongly conflated the Android system and the Google Account opening process while these are actually separate services that implement different processing activities. In particular when configuring a mobile device using the Android operating system, users clearly have the choice of whether or not to create a Google Account at that time and the privacy rules explain how the Google services can be used with or without a Google Account.
CNIL did not challenge the existence of separate services linked to the Android operating system and Google Accounts, but emphasised how the user journey of a mobile customer using Android included the creation of an Account. The Complaints related to the information presented to the user when creating a Google Account using a mobile device utilising Android. The fact that the user may decide not to open a Google Account at that time was really immaterial. CNIL also noted that if the user selects not to open a Google Account he is presented with information stating “Your device works better with a Google Account” and “If you do not have a Google Account you will not be able to perform the following actions or enable the protection features of the device”. Users were therefore clearly directed or at least persuaded to open a Google Account at the point of inception.
Google also pointed out that the process under scrutiny in the Complaints, namely the opening and creation of a Google Account using Android is something undertaken by only 7% of Google users. This was given little credence by CNIL, who pointed out that the scope and extent of processing personal data which is carried out in respect of that field of users is similar to that which occurs for holders of a Google Account using an ordinary computer device not running Android, ie substantial.
Lastly Google pointed out that the Complaints related to an older version of Android, but this was rejected as irrelevant since it was clear that even in the newer versions of Android, the user’s path when initiating services and opening an account was similar in material respects.
The details of the Complaints in relation to the substantive issues were:
That Google had breached the requirement in Article 12 GDPR to ensure that any information required under Articles 13 and 14 is communicated in a precise, transparent, understandable and easily accessible manner in clear and simple terms, particularly information specifically intended for a child. Under Article 13(1) where the personal data is collected direct from the data subject, these obligations would of course apply at the time the data in question is obtained, specifically the identity and contact details of the controller and the purposes of processing and the legal basis for processing.
Where legitimate interests is relied upon as grounds for processing, precise details of those legitimate interests pursued by the controller need to be explained.
This lack of clarity applied in relation to the legal basis for the personalisation of ads. In the initial rules of Confidentiality Google states “We ask for your permission to process your information for specific purposes and you are free to revoke your consent at any time. For example we ask for your permission to provide you with personalised services such as advertisements.” The legal basis adopted there clearly appears to be consent. However, Google further adds a reference to legitimate interests, in particular to enable it to carry out marketing actions in order to publicise its services to users and to use advertising in order to be able to provide the large number of services for free. This formulation does not allow the user to understand the distinction between personalised advertising based on consent and personalised advertising based on legitimate interests.
Consent must satisfy the definition in Article 4(11) and the requirements of Article 7. These require consent to be free, specific, informed and unambiguous with a declaration or other clear and positive act. Google tried to draw a distinction between the requirement for consent in Article 7 and that applicable in respect of Special Category Personal Data in Article 9. The latter refers expressly to the need for “explicit” consent. Google seemed to be suggesting that it met the requirements for “ordinary” consent under Article 7 and that CNIL should not subject it to the stricter test of “explicit” consent under Article 9. CNIL’s analysis of the procedures indicated that the user would not be able to understand the personalisation of advertising on the basis of information provided. They would also have no perception of the nature and volume of the data which is collected to enable these features to comply. Thus the consent was not sufficiently informed. Nor did Google’s procedures ensure that consent was given by a clear and positive act. The user did not have sufficient options when opening an Account to access readily obtainable information which would allow them to make an informed decision about all the different processing options presented to it. Significantly, CNIL also opined that the criteria for consent for special category personal data are no more onerous than those for ordinary personal data.
In considering the level of penalty, CNIL took account of the fact that the requirements for transparency and lawful bases laid down in GDRP are fundamental guarantees enable subjects to keep control of their data. The lack of knowledge of these essential obligations was therefore particularly serious. Furthermore the transgressions noted to date were ongoing. Also the scale of data and services involved was substantial, involving “Enlightening information about the subjects’ lifestyles, their opinions and social interactions, touching their identity and intimacy and allowing potentially a massive and intrusive processing of user data”. The whole purpose of the GDPR was to strengthen the rights of individuals against unlawful processing of their data in the face of rapid evolution of technology and globalisation. Lastly CNIL noted the substantial benefits which Google derives from the processing of users data. All these factors when taken together suggested that a fine at the level of €50m would be appropriate together with the publication of the sanction and adjudication. This is of course significantly less than 4% of Google’s turnover.
This is a landmark decision involving a huge financial penalty. It entailed a detailed and forensic examination of the processes and policies encountered in the opening of a Google Account by a mobile user, by reference to the requirements of the GDPR. Ironically that is a process which in many cases a typical user completes in a matter of minutes whilst on the hoof. Such users are arguably not particularly bothered about the small print or the niceties of consent vs legitimate interests as a basis for processing. They know that nothing really comes for free on the Internet and that Google extracts its payment in data and targeting. But such realities matter little where the GDPR is concerned. Google’s processes and policies did not pass muster under the GDPR, whose provisions are the new reality.
Google has the right to appeal CNIL’s position to the Conseil d’Etat within 2 months. However, ordinarily the fine must nevertheless be paid in the meantime. It is hard to imagine this right not being exercised by Google.
This guide is for general information and interest only and should not be relied upon as providing specific legal advice. If you require any further information about the issues raised in this article please contact the author or call 0207 404 0606 and ask to speak to your usual Goodman Derrick contact.