France + Comments from other countries – Unprecedented EUR 50 million fine imposed on Google for data protection violations

On 21 January 2019, the French Data Protection Authority (the ‘CNIL’) fined Google EUR 50 million for lack of transparency, inadequate information and failure to obtain valid consent for ad personalisation in violation of the GDPR.

The violations of the GDPR noted by the CNIL

Violation of the transparency and information obligations

The fine followed an investigation carried out by the CNIL, as a result of a joint complaint filed by the non-profit organisations None of Your Business (NOYB) and La Quadrature du Net (LQDN) in May 2018.

The joint complaint alleged that Google did not clearly state which processing operations relate to each ‘legal basis’ relied on under the GDPR (e.g. performance of a contract to which the data subject is party, compliance with a legal obligation to which the controller is subject, data subject’s consent, etc.), and simply listed four bases for lawful processing.

The CNIL observed that the information on the data processing activities provided to users was neither easily accessible to users nor always clear or comprehensive. Essential information required to sufficiently inform data subjects of storage purposes, periods or categories of personal data used for ads personalisation was spread across various documents, with a several clicks required to access the full information.

The CNIL also observed that in light of the number of processing operations carried out by Google (approximately 20), the description of the purposes of processing were too generic and vague. It found that it was not clear to the user that Google was relying on data subjects’ consent rather than the legitimate interest of the company to process data for ad personalisation.


Violation of the obligation to have a legal basis for advert personalisation processing

Google relied on data subjects’ consent to process data for ad personalisation purposes. However, the joint complaint alleged that data subjects did not freely consent, because they had to ‘agree’ to Google’s entire privacy policy and terms and conditions in order to access the its products.

The CNIL concluded that the data subjects’ consent was not freely given, because they had not been sufficiently informed due to the use of multiple documents and the unclear depiction of the services and websites that would be involved in the ‘ad personalisation’ section.

Further, the CNIL noted that before creating a Google account, each user was asked to agree to the company’s terms of service and privacy policy, which he or she could only amend at a later time by going into ‘more options’ and de-selecting ad personalisation.

The CNIL thus concluded that this agreement did not constitute ‘specific, informed and unambiguous’ consent in accordance with Article 4(11) of the GDPR.


The fine imposed by the CNIL and reporting of it

This is the first time that the CNIL has applied the new sanction limits provided by the GDPR since its entry into force on 25 May 2018.

Pursuant to the GDPR, a two-tiered sanction regime applies in case of violation of data protection laws. The lower tier, up to EUR 10 million or 2% of the company’s global annual turnover, applies to infringements listed in Article 83(4) of the GDPR (including infringements of the provisions on the records of processing activities, the security of processed data, notification of a personal data breach to the data protection agency (‘DPA’), etc.). The higher tier, up to EUR 20 million or 4% of the company’s global annual turnover, applies to infringements listed in Article 83(5) of the GDPR (including infringements of data subjects’ rights and the ‘basic principles’ of data processing, for example conditions for consent, lawfulness of processing and processing of special categories of personal data).

When deciding whether to impose a fine or its amount, the following factors are taken into consideration by the DPA pursuant to Article 83(2) of the GDPR: the nature, gravity and duration of the infringements in light of the nature, scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them; the intentional or negligent character of the infringement; any action taken by the controller or processor to mitigate the damage suffered by data subjects; the controller’s or processor’s degree of responsibility in light of the technical and organisational measures implemented by them; any relevant previous infringement by the controller or processor and the degree of cooperation with the DPA to remedy the infringement and mitigate the possible adverse effects of the infringement; and the categories of personal data affected by the infringement.

In this case, the CNIL indicated that its decision to apply the higher level fine as well as to publicise the fine (on its official websites and those of the French legislature) was justified by the seriousness of Google’s violations of the GDPR’s basic principles of transparency, information and consent.

The CNIL also specified that, despite the measures implemented by Google (documentation and configuration tools), the huge amount of data, the wide variety of services and the almost unlimited number of possible combinations involved in its data processing operations required it to enable users to control their data effectively and to give valid consent by sufficiently informing them. Having failed to do so, Google deprived its users of essential guarantees.

Its decision was further influenced by the fact that Google’s violations were not one-off incidents or limited in time, but rather continuous breaches of the GDPR. To illustrate the reach of Google’s violation, the CNIL pointed out the large market share held by Android in France and the thousands of French data subjects who create a Google account each day in relation to their Android use.

Lastly, the CNIL pointed out that as the company’s business model was partly based on ad personalisation, thus Google had all the more reason to ensure that it complied with its GDPR obligations.


What can employers learn from this decision?

Though this decision only concerned user data, given the unprecedented amount of the fine, it should be considered a warning to all companies to ensure that their personal data management practices, including on HR matters, are GDPR compliant.

It is clear from the CNIL’s decision that claiming to be compliant is not enough. Companies need to ensure that the information provided to applicants and employees on the processing of their personal data is clear, unambiguous and easily accessible.

Employers should also ensure that data processing operations involving employee personal data rely on a ‘legal basis’ other than consent, since employees may withdraw their consent at any time, which would create practical difficulties for the employer. Moreover, the European Data Protection Board has indicated that consent is not valid in the event of a ‘manifest imbalance’ between the data subject and the controller, such as in the relationship between employee and employer.

Lastly, employers should be aware of the GDPR’s ‘one-stop-shop’ mechanism: this mechanism pertains to cross-border data processing operations and provides that an organisation established in the EU can only have one point of contact, the ‘lead authority’. This lead authority is the DPA of the member state where the organisation’s main establishment is located and it cooperates with the DPAs in the other countries involved before making a decision on cross-border data processing operations.

In this case, given that Google LLC’s European headquarters is in Ireland, one might have expected the Irish DPA to have competence to decide the claim brought against it. However, following exchanges with its European counterparts, especially with the Irish DPA, the CNIL found that Google had no ‘main establishment’ in the EU on the grounds that Google’s Irish establishment did not have decision-making power over the data processing operations carried out in relation to the Android operating system or the services provided by Google in relation to the creation of a Google account during the configuration of Android cell phones. Therefore, the ‘one-stop-shop’ mechanism was not applicable according to the CNIL and the French DPA was competent to control data processing operations carried out by Google LLC in France, as were the other DPAs in their respective countries.

The view from other places

Ius Laboris Belgium  February 6, 2019 at 09:44

In our small, but complicated trilingual country, the DPA has not become fully operational since the application of the GDPR. The problem so far has been that the law on the transformation of Belgium’s former Privacy Commission to the DPA provides that the DPA direction committee should be composed of five members, one of whom should speak German. Apparently, until recently, no one who was interested had passed the German test. In January 2019, new tests took place and a couple of candidates passed the German test. It is expected that the members of the direction committee will be appointed by Parliament prior to the May 2019 elections. Only then (about a year after the application of the GDPR), can inspections and sanctions such as in France be expected in Belgium. – Stephanie Raets – Claeys & Engels


Ius Laboris Spain  February 6, 2019 at 09:46

The Spanish DPA is fully operational under Organic Law 3/2018 of 5 December 2018 on the protection of personal data and guarantee of digital rights. Although the DPA has not yet imposed a fine under the GDPR, it should be taken into consideration that complaints have increased 33% compared to last year. In the past, Google was fined EUR 900,000.00 by the DPA for the commission of three serious infringements, the maximum amount allowed by the law in force at that time. – Gisella Rocio Alvarado Caycho – Sagardoy Abogados


Ius Laboris Hungary  February 6, 2019 at 09:47

In Hungary, the DPA started operating shortly after the application of the GDPR on 25 May 2018. Inspections and proceedings have been already initiated under the GDPR, however, fines have not yet been issued by the Hungarian DPA. Although the general legislation related to GDPR has already been adopted in Hungary, there are still no legislative provisions regulating sector data management. Many legislative provisions will have to be amended in the future; hopefully most of the amendments will be made in 2019. – Dr. Nóra Óváry-Papp – CLV Partners


Ius Laboris Sweden  February 6, 2019at 09:50

In Sweden, the DPA (Datainspektionen) has not yet fined any organisation under the GDPR. The director general for Datainspektionen has stated that it is important to make examples, but also to show respect for companies that have invested a lot of money, resources and effort in becoming compliant. Datainspektionen has also recently initiated an investigation regarding Google’s access to Android users’ location data by using ‘Location History’ and ‘Web & App Activity’ functions. According to the complainant, Google uses deceptive design, misleading information and repeated ‘pushing’ to manipulate users into allowing constant tracking of their movements. The complainant holds that the processing of location data is unlawful, and that Google is in violation of Articles 5, 6, 7, 12, 13 and 25 of the GDPR. Datainspektionen has sent a request for information to Google. Google has until 15 February 2019 to answer. – Sofia Lysén – Elmzell Advokatbyra AB


Ius Laboris Austria  February 6, 2019 at 09:51

So far, the Austrian DPA has imposed fines on the basis of the GDPR and its national transformation in four cases, all concerning illegal video surveillance. The fines ranged from EUR 300 to EUR 4,800, far removed from the level of the CNIL Google fine.

If the Google case were filed in Austria, assuming that the DPA were the competent authority, it is likely that it would come to the same conclusions on the merits as the CNIL. However, deviating from the CNIL, pursuant to Section 11 of the Austria Data Protection Act, the DPA has to apply the GDPR regulations, including the sanctions detailed in Article 83, proportionately. Consequently, before imposing a fine, the DPA will make use of its power to settle the case by issuing warnings. If a violation of the GDPR cannot be settled by issuing a warning, the first fine imposed can also be expected to be reasonable based on these principles. It is therefore unlikely but not excluded that the Austrian Data Protection Authority will impose sanctions of a comparable level to the CNIL. – Birgit Vogt-Majarek & Andreas Kezer – Schima Mayer Starlinger Rechtsanwälte GmbH


Ius Laboris Netherlands  February 6, 2019 at 09:53

The Dutch Data Protection Authority (DDPA) has not yet issued any fines based on the GDPR. However, the DDPA is entitled to do so based on the Dutch implementation act. The DDPA did recently (November 2018) impose a fine based on previous privacy legislation. The fine was imposed on Uber: Dutch privacy rules already included the possibility of imposing fines for data breaches before the GDPR.

The DDPA is entitled to impose similar fines to the French authority. The implementation act only includes minor limitations on imposing fines regarding unlawful processing of criminal personal data and imposing fines on public bodies. The DDPA is also entitled to impose incremental penalties (that is, to issue an order to rectify and impose penalties on the organisation if the order is not complied with). Although fines similar to that imposed in France can also be expected in the Netherlands, it is more likely that pursuant to the Dutch system of general administrative law, the DDPA will impose incremental penalties rather than fines. – Ilse Baijens – Bronsgeest Deur Advocaten


Ius Laboris Cyprus  February 6, 2019 at 10:44

In Cyprus, the DPA has recently announced the start of drastic inspections and audits in both the public and private sector. Its aim is to give guidance to organisations and not to impose high administrative fines, except if there is a very serious issue or breach. Seven inspections have already been carried out. From 25 May 2018 until the end of 2018, the DPA received a total of 281 complaints (103 of them concerning ‘spam’ marketing messages). It was notified of 32 personal data breaches and has issued four decisions with fines up to EUR 11,500. Also, in the DPA cooperation system, 255 cross-border cases have been registered, for which two decisions have been issued. The DPA has stressed that under Article 57 and 58 of the GDPR, it is within its powers to carry out inspections to monitor and enforce compliance. It remains to be seen what further inspections and fines will be imposed. – Doria Papanicolaou – George Z. Georgiou & Associates LLC


Ius Laboris Lithuania  February 6, 2019 at 10:47

News of the CNIL’s fine on Google spread quickly and was widely discussed in the local media. The official reaction provided by the Lithuanian DPA was that they agree with the interpretation of the provisions of the GDPR and the arguments made by the CNIL in this case. In was suggested that local companies should learn from this CNIL decision and make adjustments in the way they process personal data in order to be compliant. The DPA also announced that the ‘grace period’ of six months is coming to an end and that fines will follow in Lithuania as well (when the GDPR came into force, the DPA announced that they would not impose fines for the first six months). – Renata Vasiliauskienė – COBALT


Ius Laboris Czech Republic February 6, 2019 at 12:14

In January 2019, the Czech DPA received a complaint against Google from a data subject represented by the non-profit organisation dTest, o.p.s. It concerned the processing of users’ personal location data. The complaint relates to Google not acting transparently in processing personal data and is based on Norwegian consumer research, which has also been the basis for complaints in other member states. Applying GDPR rules on cross-border cases, the Czech DPA informed the Irish Data Protection Commissioner about the complaint. Because Google´s main EU establishment is in Ireland, the Irish office should become the lead authority for Google’s data processing activities.

We see a lesson here for employers, who should be aware of their obligation to inform employees of personal data processing. Their obligations are not limited to providing a sufficiently clear and comprehensible privacy notice, but extend to communicating with employees about their rights and obligations, for example via the HR department, Q&As, regular training, or preparing summarised versions of the privacy notice. Using these channels may ensure better GDPR compliance where a simple privacy notice may not be detailed enough. Our practical experience demonstrates that these initiatives help prove that the employer (as controller) is making best efforts to ‘get the information into employees’ heads’. – Irena Lišková & Jakub Lejsek – Randl Partners

< Return