January 24, 2019
On January 21, 2019, the French Data Protection Authority (the “CNIL“) issued a public ruling against Google LLC. In its ruling, the CNIL imposed a penalty of 50 million euros on Google LLC for breach of EU transparency and information obligations and lack of valid consent for targeted advertising purposes.
By this decision, the CNIL becomes the first European data protection authority to levy significant sanctions against a major global internet company based on the provisions of the General Data Protection Regulation (EU) 2016/679 (“GDPR“).
This client alert lays out the main points of the decision.
In May 2018, two organizations (None Of Your Business and La Quadrature du Net) initiated actions before the CNIL pursuant to Article 80 of the GDPR which provides the right for data subjects to mandate a not-for-profit body, organization or association to exercise rights and bring claims on their behalf. Through these actions, the two organizations asserted claims on behalf of around 10,000 individuals.
Following the collective complaints, the CNIL started an investigation.
On June 1, 2018, pursuant to the cooperation provisions of the GDPR, the CNIL submitted the complaints to its European counterparts to assess whether it was competent to handle them. As a reminder, the GDPR provides for a one-stop-shop mechanism which requires that an organization established in the EU shall have, as its sole interlocutor, the supervisory authority of its “main establishment” (also called, the “lead supervisory authority”). This data protection authority then acts as a “lead” authority. As a consequence, before taking a decision, it must coordinate with other national data protection authorities.
In this case, the CNIL concluded that Google Ireland Limited was not the main establishment of Google LLC in the European Union as it did not have management powers regarding the processing operations at issue. Therefore, in the absence of a main establishment leading to the identification of a lead supervisory authority, the CNIL concluded that it had jurisdiction over Google LLC.
In order to investigate the complaints, the CNIL conducted an online inspection in September 2018. The objective was to verify the compliance of personal data processing carried out by Google LLC with the French Data Protection Act and the GDPR, by analyzing a user’s journey and the documents to which they have access when creating a Google account and configuring their mobile equipment under Android.
The CNIL sanctioned Google LLC for (1) a lack of transparency and unsatisfactory information, and (2) a lack of valid consent for the data processing of advertising personalization.
The CNIL found that the information Google provided to its users did not meet the requirements of accessibility, clarity and intelligibility provided for in Article 12 of the GDPR.
The information provided by Google LLC is not easily accessible to users because essential information (including among others, the purposes for which the data are processed, the length of time the data are kept or the categories of data collected for targeted advertising purposes) is excessively spread over several documents, which contain buttons and links that need to be activated to access additional information. Relevant information is only accessible after several steps that sometimes involve up to five or six actions.
The information provided by Google LLC is not clear enough and comprehensible to users because the purposes of the processing are described in a too generic and vague manner. Similarly, the information provided is not enough clear for the user to understand that Google LLC is relying on the consent of the data subjects to process their personal data for targeted advertising purposes.
Moreover, the CNIL found that mandatory information required by Article 13 of the GDPR is missing (notably the data retention period).
The CNIL noted that Google LLC is relying on the consent of the data subjects to process personal data for advertising personalization purposes. Yet, the CNIL found that this consent is not validly obtained as it is (i) not sufficiently informed, and (ii) not specific and unambiguous.
The consent of users is not sufficiently informed because the information on the processing is diluted in several documents and does not allow the user to be aware of its extent. For example, in the section dedicated to the “Personalization of ads”, the user is not informed of the plurality of services, sites, applications involved in these processing (Google search, You tube, Google home, Google maps, Playstore, Google photo…) and therefore of the volume of data processed and combined.
The consent of users is not unambiguous because the display of personalized ads is pre-checked by default and does not involve any positive act performed by the user, as required by the GDPR (for example, ticking a box that is not pre-checked).
According to Article 83 paragraph 5 of the GDPR, the infringement of certain provisions of the GDPR by a company shall be subject to administrative fines up to 20 million euros or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Google LLC generated revenues of $109.7 billion (approximately €96 billion) in 2017. Although the CNIL had the opportunity to apply a fine up to 4% of Google LLC’s total worldwide annual turnover (corresponding to €3,840 billion), it decided that a financial sanction of €50 million, corresponding to 0.05% of Google LLC’s worldwide annual turnover, was justified in this case.
The CNIL notably took into consideration the following criteria to assess the amount of the fine:
– the breaches of Google LLC concern essential principles of the GDPR;
– the infringements are continuous;
– a large number of data subjects are concerned; and
– Google business model is partly based on targeted advertising and Google LLC should thus pay particular attention to its responsibility under the GDPR when implementing such targeted advertising.
This was the first occasion that the CNIL applied the administrative fines introduced by the GDPR. Before the CNIL’s decision, the maximum penalty applied by another data protection authority under the GDPR was €400,000 in Portugal. With the Google fine, the CNIL sends a clear warning that its sanction is not a simple increase but a change of scale.
The CNIL also sent a strong signal to companies subject to the GDPR that their privacy policies and consent flows will be closely scrutinized and non-compliance thoroughly enforced.
Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues. For further information, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Privacy, Cybersecurity and Consumer Protection practice group, or the authors:
Please also feel free to contact any of the following practice group leaders and members:
Ahmed Baladi – Co-Chair, Paris (+33 (0)1 56 43 13 00, firstname.lastname@example.org)
James A. Cox – London (+44 (0)207071 4250, email@example.com)
Patrick Doris – London (+44 (0)20 7071 4276, firstname.lastname@example.org)
Penny Madden – London (+44 (0)20 7071 4226, email@example.com)
Michael Walther – Munich (+49 89 189 33-180, firstname.lastname@example.org)
Vera Lukic – Paris (+33 (0)1 56 43 13 00, email@example.com)
Kai Gesing – Munich (+49 89 189 33-180, firstname.lastname@example.org)
Sarah Wazen – London (+44 (0)20 7071 4203, email@example.com)
Alejandro Guerrero – Brussels (+32 2 554 7218, firstname.lastname@example.org)
Alexander H. Southwell – Co-Chair, New York (+1 212-351-3981, email@example.com)
M. Sean Royall – Dallas (+1 214-698-3256, firstname.lastname@example.org)
Debra Wong Yang – Los Angeles (+1 213-229-7472, email@example.com)
Ryan T. Bergsieker – Denver (+1 303-298-5774, firstname.lastname@example.org)
Christopher Chorba – Los Angeles (+1 213-229-7396, email@example.com)
Richard H. Cunningham – Denver (+1 303-298-5752, firstname.lastname@example.org)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, email@example.com)
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, firstname.lastname@example.org)
Kristin A. Linsley – San Francisco (+1 415-393-8395, email@example.com)
H. Mark Lyon – Palo Alto (+1 650-849-5307, firstname.lastname@example.org)
Shaalu Mehra – Palo Alto (+1 650-849-5282, email@example.com)
Karl G. Nelson – Dallas (+1 214-698-3203, firstname.lastname@example.org)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, email@example.com)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, firstname.lastname@example.org)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, email@example.com)
© 2019 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.