June 23, 2020
On June 19, 2020, the French Administrative Supreme Court (“Conseil d’Etat”) dismissed Google LLC’s appeal against the French Data Protection Authority’s decision of January 21, 2019, imposing a fine of 50 million euros on Google LLC. This fine is, to date, the highest fine issued under the GDPR in the European Union. The decision is now final with no further possibility of appeal before French courts.
This Client Alert lays out the key aspects and implications of the decision.
On January 21, 2019, the French Data Protection Authority (“CNIL”) imposed a fine of 50 million euros on Google LLC for breach of EU transparency and information obligations and lack of valid consent to process data for targeted advertising purposes under the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
Google filed an appeal against the CNIL’s decision with the French Administrative Supreme Court, which issued its final ruling on June 19, 2020. Google raised two requests for preliminary rulings from the Court of Justice of the European Union (one in relation to the jurisdiction of the CNIL and another in relation to the consent mechanism the company had used) but the French Administrative Supreme Court determined that there was no need to refer such questions to the Court of Justice of the European Union.
In its ruling, the French Administrative Supreme Court first confirmed the CNIL’s jurisdiction.
In order to challenge the CNIL’s jurisdiction, Google claimed that its main establishment, as defined under the GDPR, was Google Ireland Limited, which is its head office in Europe, has human and financial resources and assumes the responsibility of “many organizational functions” in Europe.
In doing so, Google tried to demonstrate that the Irish supervisory authority (the DPC) should have had jurisdiction in this matter considering the one-stop-shop mechanism provided by the GDPR under which an organization established in multiple EU Member States shall have, as its sole interlocutor, the supervisory authority of its “main establishment” (also called, the “lead supervisory authority”). Under the GDPR, the “main establishment” should correspond to the place of the central administration in the EU, unless decisions on the purposes and means of data processing are taken in another establishment which has the power to have such decisions implemented, in which case the latter establishment should be considered the main establishment.
The French Administrative Supreme Court found that Google Ireland Limited did not exercise, at the time of the challenged conduct, control over the other European affiliates of the company, so that it could not be regarded as the “central administration,” and that Google LLC was determining alone the purposes and means of the processing. The Court noted that Google Ireland Limited was assigned new responsibilities in relation to data processing in Europe, but highlighted that this new scope of responsibility was in any event effective only after the date the CNIL issued its decision.
The Court also pointed out that while the CNIL cooperated with other supervisory authorities in the EU in relation to its jurisdiction, none of them raised a concern with respect to the CNIL’s exercise of jurisdiction, and the Irish supervisory authority even publicly stated at that time that it was not the lead supervisory authority of Google LLC.
Therefore, the Court rejected Google’s jurisdictional arguments, including the request for preliminary rulings from the Court of Justice of the European Union regarding that issue.
The French Administrative Supreme Court also confirmed the breaches identified by the CNIL regarding Google’s transparency and information obligations, as well as the lack of valid consent to process its users’ personal data for targeted advertising purposes.
First, the Court found that Google’s consumer disclosures were scattered, thus hindering the accessibility and clarity of information for users, while the data processing carried out was particularly intrusive.
Furthermore, with respect to the validity of the consent collected, the Court confirmed that the information Google provided to consumers that was related to targeted advertising was not presented in a sufficiently clear and distinct manner for the user’s consent to be valid. In particular, the consent was collected in a global manner for various purposes and through a pre-ticked box, which do not meet the requirements of the GDPR. In that respect, the French Administrative Supreme Court also determined that there was no need to raise a request for preliminary rulings from the Court of Justice of the European Union.
Finally, the French Administrative Supreme Court stated that the administrative fine of 50 million euros was not disproportionate and confirmed its amount.
This decision is an important reminder that providing clear disclosures and consent mechanisms are key obligations to be complied with when a company’s processing of personal data is subject to the GDPR, as shortcomings in those areas may lead to significant monetary sanctions. For organizations with multiple subsidiaries or affiliates in the EU, this decision also illustrates the importance of clarifying their corporate organization, identifying their main establishment in the EU, and ensuring that this main establishment satisfies the criteria set out in the GDPR in order to benefit from the one-stop-shop mechanism.
The following Gibson Dunn lawyers prepared this client alert: Ahmed Baladi, Vera Lukic, Adelaide Cassanet, Clemence Pugnet, and Ryan T. Bergsieker. Please also feel free to contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the Privacy, Cybersecurity and Consumer Protection Group:
Ahmed Baladi – Co-Chair, PCCP Practice, Paris (+33 (0)1 56 43 13 00, email@example.com)
James A. Cox – London (+44 (0)20 7071 4250, firstname.lastname@example.org)
Patrick Doris – London (+44 (0)20 7071 4276, email@example.com)
Penny Madden – London (+44 (0)20 7071 4226, firstname.lastname@example.org)
Michael Walther – Munich (+49 89 189 33-180, email@example.com)
Kai Gesing – Munich (+49 89 189 33-180, firstname.lastname@example.org)
Alejandro Guerrero – Brussels (+32 2 554 7218, email@example.com)
Vera Lukic – Paris (+33 (0)1 56 43 13 00, firstname.lastname@example.org)
Sarah Wazen – London (+44 (0)20 7071 4203, email@example.com)
Alexander H. Southwell – Co-Chair, PCCP Practice, New York (+1 212-351-3981, firstname.lastname@example.org)
Debra Wong Yang – Los Angeles (+1 213-229-7472, email@example.com)
Matthew Benjamin – New York (+1 212-351-4079, firstname.lastname@example.org)
Ryan T. Bergsieker – Denver (+1 303-298-5774, email@example.com)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, firstname.lastname@example.org)
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, email@example.com)
Kristin A. Linsley – San Francisco (+1 415-393-8395, firstname.lastname@example.org)
H. Mark Lyon – Palo Alto (+1 650-849-5307, email@example.com)
Karl G. Nelson – Dallas (+1 214-698-3203, firstname.lastname@example.org)
Deborah L. Stein (+1 213-229-7164, email@example.com)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, firstname.lastname@example.org)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, email@example.com)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, firstname.lastname@example.org)
© 2020 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.