On January 21,2019 the French data protection authority (the CNIL) imposed a major fine on the U.S. Google entity, Google LLC.  It follows two complaints filed as soon as the GDPR came into force by two consumer rights associations, None of Your Business and La Quadrature du Net.

We focus here on four key aspects of the decision: (a) why the Irish Data Protection Commission (Irish DPC) did not take the case; (b) the consent mechanism failings; (c) the privacy policy failings; and (d) the amount of the fine.

Lead authority

Google argued that the Irish DPC should have investigated and enforced the complaints that led to this decision.  The CNIL:

  • was clear that, for the one stop shop to even be an option, the EU establishment claiming to be the main establishment in the lead authority member state must have decision-making power over the processing of personal data at stake;
  • ignored a range of activities that were undertaken in Ireland, including concluding some advertising sales from there, to focus on whether Google Ireland had any decision-making power over the processing operations set out in the Privacy Policy presented to the user when he/she created an account when setting up an Android device;
  • found that such decisions were made by Google LLC from the U.S., noting that Google Ireland was not described as the entity making decisions in relation to the processing in the Privacy Policy, had no Data Protection Officer of its own covering this processing, and was not stated to have been involved in the development of the Android operating system.
  • As a result, any EU data protection authority (DPA) had the ability to investigate and enforce in relation to the infringements in its jurisdiction, and the CNIL investigated and enforced the French infringements. The fine was imposed on Google LLC but sent to Google France for implementation (presumably as Google LLC’s presumed or agreed EU representative).

Our take

Other controllers should review the determinations they have made about lead authorities, focusing on the Art 29 WP guidance. It is possible for there to be different lead authorities for different processing activities within the same group, which can make this very complex.

If the processing is controlled from outside the EU, appointing an EU representative is required (which appears to have the advantage of allowing breach notification solely to the DPA in the EU representative’s member state). A clear position on this is essential for breach reporting, given that decisions as to which authority to notify need to be made within 72 hours.

Consent tick boxes

When configuring an Android device the user is invited to create, or sign into, a Google account. To avoid creating the account the user had to click “ignore”, whereupon the user was told of the benefits of using a Google account with the Android device before being able to proceed further.

The account creation process required the user to agree to the Google terms of use and the privacy policy. The agreement process required the user to scroll through a short summary of the processing with a “More Options” link to another layer, where it was possible to opt in or out of various tracking activities (including ad personalization). The tick box for ad personalization was pre-ticked.

Once the user had agreed to the terms of use and privacy policy, the user received an email informing him/her that he/she was in control and could change privacy settings at any time and sign up for privacy check-up reminders. If the user had not altered the ads personalization pre-ticked box, he/she got a specific pop-up reminding him/her that the account allowed for ads personalization and could be customized.

The CNIL did not accept that this amounted to specific and unambiguous consent on the basis that:

  • the user was asked to consent to a very wide range of processing;
  • in order to make the consent more granular, he/she had to take proactive steps to click to another “hidden” layer; and
  • the ads personalization box was pre-ticked. In order to be compliant, the consent journey would have needed to have offered the user the specific consent options unticked before offering a final unticked box which would allow the user to consent to/ not consent to all the different purposes.

Our take

The CNIL’s position on consent echoed its Vectaury decision where it was critical of any overstated downsides in not giving consent, and gave the same message about pre-selected tick boxes.

Consent gathering methods for email marketing are now usually in line with these requirements. The position is, however, less clear in relation to many ad tech consent gathering mechanisms, where it is common to provide for group consent to different purposes under a single “I accept” button.

Since the GDPR came into force the CNIL has given five formal notices to ad tech companies in relation to their consent-gathering mechanisms. Both ad tech companies and publishers should be assessing whether any changes are now required.

Privacy policy structural failings

Google has to cover a lot of products and data uses in its privacy documentation. Its efforts to make these digestible and accessible did not satisfy the CNIL. The CNIL described Google’s processing as “particularly massive and intrusive” and capable of revealing with a significant degree of precision many of the most intimate aspects of a person’s life, which required the privacy notice to be particularly clear and intelligible.

The CNIL found the following faults in the privacy policy:

  • it did not bring home how extensive the intrusion into the user’s private life could be – rather, it used vague high-level descriptions;
  • it considered that the privacy policy required a lot of patching together to understand. A user was required to navigate forwards and backwards through links (five actions to understand ad personalization, and six actions to understand geolocation) to different documents, and this made it impossible for the user to easily understand the totality of the processing;
  • it was not possible to accurately ascertain such extensive potential data use before agreeing to sign up to the Google account. The CNIL accepted that this would not be possible at the first layer of the privacy notice, but suggested that Google could have provided a better overview of the combination of sources and processing activities in the Privacy Policy layer;
  • it was not clear that all ad personalization was based on consent (as Google asserted to the CNIL), as some forms of ad targeting (for example, location-based ads) appeared to be based on legitimate interests in the privacy policy. This was confusing; and
  • the title for the section of the policy on retention periods was “Export and delete your information”. The CNIL did not think users would expect this to include retention periods. In addition, some retention categories did not specify duration or criteria for determining the duration.
  • These failings also meant that the consent was not informed.

Our take

Such failings should be easier to avoid for controllers with less extensive and less complicated data collection practices.

Care should be taken (when making policies more consumer-friendly) that the key headings from a classic privacy policy remain recognizable from the overview.

Controllers using extensive layering should consider having a link to a linear document with the entire privacy policy in it so that it is easier for regulators to use in order to tick off the points they require to be provided for.

Do not have users agree to the privacy policy for purposes of obtaining consent to generalized processing. Instead, ensure that only the areas of processing requiring consent are covered by the consent drafting.

The grace period (if there was one) for articulating retention periods into privacy polices appears to be over, and controllers should be looking to add more detail to this part of their privacy policies.

Level of fine

€50 million is a massive fine by EU standards.  The CNIL cited the following reasons for the amount of the fine:

  • the centrality of the information, transparency and lawful basis principles to data protection, and that Google’s infringement was in the top fining tier under the GDPR;
  • the breach was not one-off or spontaneous – it was ongoing;
  • a large amount of personal data relating to a large number of data subjects was involved (millions of users in France) from a multiplicity of sources;
  • the information was particularly enlightening about data subjects’ lifestyles, opinions and social interactions, and therefore closely affected their identity and privacy;
  • the lack of transparency and consent to personalized advertising processing is counter to the legitimate aspirations of individuals who want to retain control of their personal data – this control being one of the major thrusts of the GDPR; and
  • Google’s business model is partly based on personalized ads and therefore it has a particular responsibility to operate it in compliance with the GDPR.

Our take

The fine only relates to the French processing, and it remains to be seen if any other DPA will seek to impose fines for their jurisdiction (given that the CNIL is not competent in these circumstances to impose fines in respect of infringements in other member states).

No indication is given as to how the fine was calculated, nor as to how important each of the cited factors was. If Google appeals, with luck, the appeal judgment may shed more light.

Given the long history between the CNIL and Google in relation to its privacy policy and the extent of its processing activities, this fine does not necessarily signal that fines for smaller players will jump by similar factors, but now the first “mega” GDPR fine has been issued it does represent a new inflationary benchmark for egregious or massive breaches.

Finally, it would appear that any unofficial implementation period enforcement amnesties are ending.

For more information

The CNIL press release on the decision is in English. The full decision is only in French.