France: EUR 50 million fine for data protection violations
On 21 January 2019, the French Data Protection Authority (the ‘CNIL’) fined Google EUR 50 million for lack of transparency, inadequate information and failure to obtain valid consent for ad personalisation in violation of the GDPR.
The violations of the GDPR noted by the CNIL
The fine followed an investigation carried out by the CNIL, as a result of a joint complaint filed by the non-profit organisations None of Your Business (NOYB) and La Quadrature du Net (LQDN) in May 2018.
The joint complaint alleged that Google did not clearly state which processing operations relate to each ‘legal basis’ relied on under the GDPR (e.g. performance of a contract to which the data subject is party, compliance with a legal obligation to which the controller is subject, data subject’s consent, etc.), and simply listed four bases for lawful processing.
The CNIL observed that the information on the data processing activities provided to users was neither easily accessible to users nor always clear or comprehensive. Essential information required to sufficiently inform data subjects of storage purposes, periods or categories of personal data used for ads personalisation was spread across various documents, with a several clicks required to access the full information.
The CNIL also observed that in light of the number of processing operations carried out by Google (approximately 20), the description of the purposes of processing were too generic and vague. It found that it was not clear to the user that Google was relying on data subjects’ consent rather than the legitimate interest of the company to process data for ad personalisation.
Violation of the obligation to have a legal basis for advert personalisation processing
The CNIL concluded that the data subjects’ consent was not freely given, because they had not been sufficiently informed due to the use of multiple documents and the unclear depiction of the services and websites that would be involved in the ‘ad personalisation’ section.
The CNIL thus concluded that this agreement did not constitute ‘specific, informed and unambiguous’ consent in accordance with Article 4(11) of the GDPR.
The fine imposed by the CNIL and reporting of it
This is the first time that the CNIL has applied the new sanction limits provided by the GDPR since its entry into force on 25 May 2018.
Pursuant to the GDPR, a two-tiered sanction regime applies in case of violation of data protection laws. The lower tier, up to EUR 10 million or 2% of the company’s global annual turnover, applies to infringements listed in Article 83(4) of the GDPR (including infringements of the provisions on the records of processing activities, the security of processed data, notification of a personal data breach to the data protection agency (‘DPA’), etc.). The higher tier, up to EUR 20 million or 4% of the company’s global annual turnover, applies to infringements listed in Article 83(5) of the GDPR (including infringements of data subjects’ rights and the ‘basic principles’ of data processing, for example conditions for consent, lawfulness of processing and processing of special categories of personal data).
When deciding whether to impose a fine or its amount, the following factors are taken into consideration by the DPA pursuant to Article 83(2) of the GDPR: the nature, gravity and duration of the infringements in light of the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them; the intentional or negligent character of the infringement; any action taken by the controller or processor to mitigate the damage suffered by data subjects; the controller’s or processor’s degree of responsibility in light of the technical and organisational measures implemented by them; any relevant previous infringement by the controller or processor and the degree of cooperation with the DPA to remedy the infringement and mitigate the possible adverse effects of the infringement; and the categories of personal data affected by the infringement.
In this case, the CNIL indicated that its decision to apply the higher level fine as well as to publicise the fine (on its official websites and those of the French legislature) was justified by the seriousness of Google’s violations of the GDPR’s basic principles of transparency, information and consent.
The CNIL also specified that, despite the measures implemented by Google (documentation and configuration tools), the huge amount of data, the wide variety of services and the almost unlimited number of possible combinations involved in its data processing operations required it to enable users to control their data effectively and to give valid consent by sufficiently informing them. Having failed to do so, Google deprived its users of essential guarantees.
Its decision was further influenced by the fact that Google’s violations were not one-off incidents or limited in time, but rather continuous breaches of the GDPR. To illustrate the reach of Google’s violation, the CNIL pointed out the large market share held by Android in France and the thousands of French data subjects who create a Google account each day in relation to their Android use.
Lastly, the CNIL pointed out that as the company’s business model was partly based on ad personalisation, thus Google had all the more reason to ensure that it complied with its GDPR obligations.
What can employers learn from this decision?
Though this decision only concerned user data, given the unprecedented amount of the fine, it should be considered a warning to all companies to ensure that their personal data management practices, including on HR matters, are GDPR compliant.
It is clear from the CNIL’s decision that claiming to be compliant is not enough. Companies need to ensure that the information provided to applicants and employees on the processing of their personal data is clear, unambiguous and easily accessible.
Employers should also ensure that data processing operations involving employee personal data rely on a ‘legal basis’ other than consent, since employees may withdraw their consent at any time, which would create practical difficulties for the employer. Moreover, the European Data Protection Board has indicated that consent is not valid in the event of a ‘manifest imbalance’ between the data subject and the controller, such as in the relationship between employee and employer.
Lastly, employers should be aware of the GDPR’s ‘one-stop-shop’ mechanism: this mechanism pertains to cross-border data processing operations and provides that an organisation established in the EU can only have one point of contact, the ‘lead authority’. This lead authority is the DPA of the member state where the organisation’s main establishment is located and it cooperates with the DPAs in the other countries involved before making a decision on cross-border data processing operations.
In this case, given that Google LLC’s European headquarters is in Ireland, one might have expected the Irish DPA to have competence to decide the claim brought against it. However, following exchanges with its European counterparts, especially with the Irish DPA, the CNIL found that Google had no ‘main establishment’ in the EU on the grounds that Google’s Irish establishment did not have decision-making power over the data processing operations carried out in relation to the Android operating system or the services provided by Google in relation to the creation of a Google account during the configuration of Android cell phones. Therefore, the ‘one-stop-shop’ mechanism was not applicable according to the CNIL and the French DPA was competent to control data processing operations carried out by Google LLC in France, as were the other DPAs in their respective countries.