Google has failed in its attempts to overturn a €50 million fine imposed by the French CNIL. The fine was levied against Google in January 2019, and Google has made several attempts to overturn it. However, its efforts have been in vain. The French Conseil D’Etat (Council of State ruling on litigation (Litigation Section, 10th and 9th Chambers Combined)) has upheld the fine.
While €50 million might seem a significant fine, this ruling is more than just the money. Google has argued that the CNIL lacked the authority to bring a case against it. It wanted the Irish DPC to hear the case since Google’s European HQ is in Ireland. The Conseil D’Etat has now ruled that the CNIL is the competent authority in this case.
What is this all about?
In 2019, the CNIL levied a GDPR fine against Google for the way it obtained consent for ad personalisation. In its press release at the time, it stated: “On 21 January 2019, the CNIL’s restricted committee imposed a financial penalty of 50 Million euros against the company GOOGLE LLC, in accordance with the General Data Protection Regulation (GDPR), for lack of transparency, inadequate information and lack of valid consent regarding the ads personalisation.”
The case had been brought before the CNIL by European privacy campaign groups None Of Your Business (NYOB)and La Quadrature du Net (LQDN). Both organisations alleged that Google was processing the data of European citizens without having a valid basis for doing so.
The CNIL initiate asked Ireland’s DPC if it wanted to deal with the case. It declined, saying that it was unable to deal with issues around Android and Google LLC. This led the CNIL to implement the European Framework set out by the European Data Protection Board’s guidelines. It then found against Google and issued its fine.
Why did Google’s appeal fail?
Google was appealing several issues around how the CNIL managed the case. Among those were a lack of training, a failure to apply the correct procedures and errors of law. Perhaps the most important, certainly to Google, was the right of the CNIL to hear the case. It also claimed that it acted reasonably when obtaining consent to process personal data.
Was the CNIL entitled to take the case?
Yes, it was. In section 5 of its ruling, the Conseil D’Etat states that Google LLC was the controlling entity with regard to Android, not Google Ireland Limited. It meant there was no ruling authority and the CNIL was free to take the case.
“As no leading authority could therefore be designated under the conditions of Article 56 of the RGPD, the CNIL was responsible for investigating the complaints of the associations None of Your Business and La Quadrature du Net because of the treatment of the personal data of French users of the Android operating system operated by Google LLC and impose the impugned sanction on the latter. The recognition of such competence of the CNIL with regard to the data processing managers of users located in France, whose conditions of determination do not in any case ignore the principle of the legality of offences and penalties, cannot lead to a violation of the principle of non bis indem.”
Statements from other European supervisory authorities (Section 8) also supported this decision. Most important was the public statement from the Irish Data Protection Authority which was published in the Irish Times newspaper.
Google made it hard to find details on privacy
(Section 17) The level of information provided made it hard for users to understand the degree of privacy intrusion and the amount of data collected.
(Section 18) It required multiple steps for a user to obtain all relevant information about the personalisation of ads. Additionally, it states: “Information on the shelf life of the data, which must be provided under the a) of Article 13 of the RGPD, is only accessible from a hyperlink available on the 68th page of the “Privacy Rules” document.”
(Section 19) The information provided to users was lacking or insufficiently accurate. It also states: “..the instruction indicates that the data retention document published by Google indicates that certain data may be stored “for long periods for specific reasons” without indicating either the purposes pursued or the data involved.”
Did Google breach rules on consent?
Yes. In Section 21, the ruling states: “Article 6 of the RGPD states that: “Treatment is only lawful if, and to the extent that, at least one of the following conditions is met: / (a) the person concerned has consented to the processing of his personal data for one or more specific purposes.”
It then goes on to say: “Consent given by means of a checked box by default does not imply active behaviour on the part of the user and therefore cannot be considered to be the result of a clear positive act validly allowing the collection of consent.” It also states: “Finally, regardless of the terms in which it is collected, consent is valid only if it is preceded by a clear and distinct presentation of all the purposes pursued by the treatment.”
Just as damning, in Section 22 the ruling states: “Thus, it appears that the information on the scope of treatment for “advertising targeting” provided at the first level is insufficient, in light of the clarity and accessibility requirements recalled above. In the absence of sufficient advance information, the consent obtained in a comprehensive manner for all purposes, including this one, cannot be regarded as informed or, by consequence and in any event, as valid.”
How has NOYB responded?
NOYB issued its own response to the ruling. Max Schrems, honorary chairman of NOYB states: “The amount is tiny for Google, but still an important symbol to show that GDPR fines can reach serious amounts”.
NOYB also points out that the CNIL was able to investigate and conclude this case in just five months. It compares it to the 18 months that the Irish Regulator (DPC) has taken in dealing with complaints against Facebook, WhatsApp and Instagram.
Enterprise Times: What does this mean?
As Schrems states, €50 million is an irrelevancy for Google, although it is more than it paid in UK taxes in 2019. Arguably, this was never about money. It was about whether Google was transparent over privacy. The Conseil D’Etat has backed the CNIL in saying it was far from that.
Google will be surprised to have lost this case. It believed that the CNIL was acting without authority and that the entire case should be dismissed. Instead, it has opened itself up to a ruling that it did not expect. The question now is where does it go from here? Will it try an appeal to the European Court of Justice? Will it just pay up and hope it all goes away? What changes must it now make to its privacy process, which was roundly criticised, to ensure there are no additional charges or fines?
This case is not just important for Google. It shows that companies dealing with the PII of European citizens can no longer assume that they come under a specific DPC. There must be primary evidence that a DPC is, indeed, the competent authority for an organisation. Google failed to ensure that Google LLC came under Irelands’ DPC. Other multi-nationals will now be looking at the implications of this for them.
As important, if not more so, is the part of the ruling that defines what constitutes consent. It is likely that a number of large online organisations will be reviewing how people give consent and the clarity of that information. It will be a surprise if this ruling is not used by several European privacy advocates in future court cases.