On January 29, 2019, the French Data Protection Agency, the Commission Nationale de l’informatique et des Libertés (CNIL) imposed a fine of 50 million Euros on Google LLC under the EU General Data Protection Regulation (GDPR) for failure to (i) provide information to users configuring their Android mobile device and creating a Google account in breach of transparency and in violation of Articles 12 and 13, GDPR (which call for an easily accessible form, clear and plain language) and (ii) provide a legal basis for the processing and, in particular, to obtain users’ valid consent to process their personal data for personalized advertisement purposes.
By way of background. The CNIL received two collective complaints grouping around 10,000 people. The complaints concerned Android users, who have to accept Google’s privacy policy and terms and conditions to use their device and Google’s data processing for behavioral analysis and advertising targeting without a valid legal basis.
As for its competence, Google argued that Google Ireland Limited was its main establishment in the European Union and that therefore the CNIL was not competent to carry out this procedure; it should have transmitted the cross-border complaints received to the lead Data Protection Authority (DPA) in accordance with the one-stop-shop mechanism (Article 60, GDPR).
The CNIL found to be competent because Google Ireland Limited could not be considered to be the principal place of business of Google LLC in Europe within the meaning of Article 4.16, GDPR, specifically because this entity had no decision-making power over the investigated processing.
In setting the amount of the penalty (EUR 50 million) the CNIL considered:
- the seriousness of the breaches, concerning the obligations of transparency and information;
- the lengths of the violations;
- the gravity of the infringements, in particular with regard to the purpose of the processing, their scope and the number of persons concerned;
- the fact that the data processed closely touched their identity and their privacy;
- the fact that the company has almost unlimited potential to carry out a massive and intrusive treatment of users’ data;
- the company’s prominent place in the market for operating systems and the seriousness of the deficiencies.
The CNIL decision, Délibération n°SAN-2019-001 du 21 janvier 2019
Délibération de la formation restreinte n° SAN – 2019-001 du 21 janvier 2019 prononçant une sanction pécuniaire à l’encontre de la société GOOGLE LLC in the context of the processing in question is available (in French) at https://www.legifrance.gouv.fr….
The decision has been criticized because, through the CNIL’s reasoning, non-EU are de facto deprived of the benefit of the one-stop mechanism. one author (What happened to the one-stop shop?)
noted
Is the CNIL right to require that the EU administrative headquarters also has to decide on purposes and means (i.e. qualify as the controller)?
If so, the one-stop shop mechanism will de facto not be available for non-EU controllers (such as Google), as their EU administrative headquarters will rarely independently decide on the purposes and means of its cross-border processing activities in the EU (these being part of their global service offerings).
More on the one-stop-shop mechanism is available at https://www.technethics.com…
For more information about how foreign privacy rules may impact your US business, contact Francesca Giannoni-Crystal. Thanks to Federica Romanelli