On 21 January 2019, the restricted committee of the French data protection authority – Commission Nationale de l’Informatique et des Libertés (CNIL) – imposed a financial penalty of €50 million (euros) against Google LLC for non-compliance with the European Union’s data protection law, the General Data Protection Regulation (GDPR), which came into operation in May 2018. As noted by the CNIL, this was the first time that the CNIL applied the new increased sanction limits provided by the GDPR, which the CNIL considered to be justified in light of the severity of the infringements.
In terms of the complaints received, it was contended that Google did not have a valid legal basis to process the personal data of the users of its services, particularly for the personalisation of advertisements (ads personalisation). As part of its investigation, the CNIL carried out online inspections to verify the compliance of the processing operations implemented by Google with the GDPR and the domestic data protection law, including by analysing users’ browsing patterns. On the basis of the inspections carried out, the CNIL observed two types of breaches: (i) a violation of the obligations of transparency and information; and (ii) a violation of the obligation to have a legal basis for ads personalisation processing.
Violation of the obligations of transparency and information
The CNIL noted that the information provided by Google was not easily accessible for users. In this regard, the CNIL observed that essential information – such as the data processing purposes, the data storage periods or the categories of personal data used for ads personalisation – were “excessively disseminated” across several documents, with buttons and links that needed to be clicked to access complementary information; as such, the relevant information was only accessible after several steps. The CNIL observed further that some information was not always clear or comprehensive.
In this regard, the CNIL noted that users were not able to fully understand the extent of the processing operations carried out by Google. However, given the number of services offered, and the amount and nature of the data processed and combined, the processing operations were particularly massive and intrusive. Of particular concern to the CNIL was that the purposes of processing were described too generically and vaguely, as were the categories of data processed for various purposes. Similarly, the CNIL was concerned that it was not clear to users that the legal basis for processing for ads personalisation was consent, and not the legitimate interest of the company.
Lastly, the CNIL noted that information regarding the retention period was not provided for some data.
Violation of the obligation to have a legal basis for ads personalisation processing
According to the CNIL, Google had not obtained valid consent for ads personalisation. First, the CNIL observed that the users’ consent was not sufficiently informed. In this regard, it noted that the information on processing operations for the ads personalisation was diluted in several documents, and did not enable users to be aware of their extent.
Second, the CNIL observed that the collected consent was neither “specific” nor “unambiguous”. In particular, the CNIL noted that when an account was created, the user had to click on the ‘More options’ button to access the configuration, and the display of the ads personalisation was already pre-ticked. This failed to meet the requirements of the GDPR, which provides that consent is only unambiguous with a clear affirmative action from the user (for example, by ticking a box that has not been pre-ticked).
The penalty imposed by the CNIL
In light of the above, the CNIL imposed a fine of €50 million (euros) against Google. As noted above, this was the first time that the CNIL applied the new increased sanction limits provided by the GDPR. According to the CNIL: “The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.” The CNIL concluded further as follows:
Despite the measures implemented by Google (documentation and configuration tools), the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations. The restricted committee recalls that the extent of these processing operations in question imposes to enable the users to control their data and therefore to sufficiently inform them and allow them to validly consent.
Moreover, the violations are continuous breaches of the [GDPR] as they are still observed to date. It is not a one-off, time-limited, infringement.
Finally, taking into account the important place that the operating system Android has on the French market, thousands of French people create, every day, a Google account when using their smartphone. Furthermore, the restricted committee points out that the economic model of the company is partly based on the ads personalization. Therefore, it is of its utmost responsibility to comply with the obligations on the matter.
The CNIL’s media statement (in English) is accessible here.
The CNIL’s ruling (in French) is accessible here.
Please note: The information contained in this note is for general guidance on matters of interest, and does not constitute legal advice. For any enquiries, please contact us at [email protected].