GOOGLE fined €50m by CNIL for multiple GDPR violations.21st January 2019: The French data protection authority (CNIL) restricted committee has imposed a financial penalty of 50 Million euros against GOOGLE LLC, under the General Data Protection Regulation (GDPR). Violations include; lack of transparency, inadequate information and lack of valid consent regarding ads personalization. During the latter part of May 2018, CNIL received group complaints from the associations None Of Your Business (NOYB) and La Quadrature du Net (LQDN). LQDN was commissioned to refer the matter to the CNIL by 10,000 people. In the two complaints, the associations accuse GOOGLE for not having a “valid legal basis” to process the Personal Information of users of its services, particularly for the purposes of ads personalization.
Complaint handling by the CNIL
Upon receipt of the complaints, the CNIL immediately began investigations. On 21st June, details of the complaints were sent to CNIL’s European counterparts, in accordance with the provisions on European cooperation as defined in the General Data Protection Regulation (GDPR). The GDPR establishes a “one-stop-shop mechanism” which provides that an organization set up in the European Union shall have only one interlocutor, which is the Data Protection Authority (“DPA”) of the country where its “main establishment” is located. This authority serves as “lead authority”. It must therefore coordinate the cooperation between the other Data Protection Authorities before taking any decision about a cross-border processing carried out by the company. In this case, the discussions with the other authorities, in particular with the Irish DPA, where GOOGLE’s European headquarters are situated, did not allow to consider that GOOGLE had a main establishment in the European Union. Indeed, when the CNIL initiated proceedings, the Irish establishment did not have a decision-making power on the processing operations carried out in the context of the operating system Android and the services provided by GOOGLE LLC, in relation to the creation of an account during the configuration of a mobile phone. As the “one-stop-shop mechanism” was not applicable, the CNIL was competent to take any decision regarding processing operations carried out by GOOGLE LLC, as were the other DPA. The CNIL implemented the new European Framework as interpreted by all European authorities in the European Data Protection Board’s (EDPB) guidelines. In order to deal with the complaints received, the CNIL carried out online inspections in September 2018. The aim was to verify the compliance of the processing operations implemented by GOOGLE with the French Data Protection Act and the GDPR by analysing the browsing pattern of a user and the documents he or she can have access, when creating a GOOGLE account during the configuration of a mobile equipment using Android.
The violations observed by the restricted committee
On the basis of the inspections carried out, the CNIL’s restricted committee responsible for examining breaches of the Data Protection Act observed two types of breaches of the GDPR. First, the restricted committee notices that the information provided by GOOGLE is not easily accessible for users. Indeed, the general structure of the information chosen by the company does not enable to comply with the Regulation. Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information. The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions. For instance, this is the case when a user wants to have a complete information on his or her data collected for the personalization purposes or for the geo-tracking service. Moreover, the restricted committee observes that some information is not always clear nor comprehensive. Users are not able to fully understand the extent of the processing operations carried out by GOOGLE. But the processing operations are particularly massive and intrusive because of the number of services offered (about twenty), the amount and the nature of the data processed and combined. The restricted committee observes in particular that the purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes. Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company. Finally, the restricted committee notices that the information about the retention period is not provided for some data.
Sources and credits: CNIL – deliberation of the CNIL’s restricted committee (in French)