The key findings of the TGI in the Google case are set out below:
Although no monetary payment was required to use Google+, the judges considered that such service was not “free of charge” since users provided their personal data to Google, which Google then monetised. Accordingly, the judges ruled that such personal data constituted goods from which Google derived an economic benefit in return for the service provided to users. The arrangement between the user and Google therefore constitutes a contract for pecuniary interest between a professional and a consumer and consumer law is therefore applicable.
- The real and primary purposes of the processing must be presented in the first block of information made available to the user
The judges criticised Google for not presenting the following information in the first level of information made available to the user: the recipients of the personal data, the methods of digital processing and, above all, the purposes for which the data is shared, in particular targeted advertising. This finding tracks the position adopted by the French data protection authority (the Commission Nationale de l’Informatique et des Libertés (CNIL)) in its formal notices against Vectaury, Fidzup and Teemo, where the companies were considered not to have informed the user in advance of the advertising targeting activities carried out via SDK technology, such information being provided only after the collection of the data.
The judges stressed that users must be made aware as soon as they begin to read privacy notices, of the extent of the collection of their personal data and the “real” purposes of such collection.
Moreover, the data controller cannot explain to consumers that personal data is collected merely as a means of improving the services when the primary purpose is in fact the commercial exploitation of such data for targeted advertising, even if the improvement of services remains part of the purposes for the processing.
- Consent can never be presumed
In line with recent decisions released by the CNIL, where consent was a particular new focus, the TGI in this case also criticised Google, on several occasions, for presuming that users consented to the processing of their data, rather than proactively obtaining such consent in a lawful manner. In particular they focus on the following data processing:
Geolocation data: It is not sufficient to just inform users of the collection of geolocation data (such as IP addresses). Organisations must instead also provide users with the means of granting consent and refusing the collection of such data. In the present case, Google merely informed the consumers that geolocation data was being collected, without first obtaining the users’ consent or providing information about how such data was processed. The judges also emphasized the data controller’s obligation to inform the users of how they can exercise their right to object to such processing. This case echoes the CNIL’s decisions to issue formal complaint notices (mise en demeure) to several companies at the end of 2018 for failure to obtain consent for geolocation data.
However, the tribunal helpfully did hold that, contrary to UFC Que Choisir’s position, the lack of information as to the precise technologies used to process geolocation data was irrelevant. What is key is just ensuring that users are informed that the processing of this type of data occurs.
Cookies: The Google terms referred to the use of “cookies or similar technologies” to collect personal data when the user accesses Google+ or a third-party site using Google’s advertising services.
Once again, the judges criticized Google for presuming the users’ consent to the collection of their data via such technologies, such presumption being non-compliant with the provisions of the French Data Protection Act. The judges ruled that the existence of a cross-reference to another section of the privacy notice, which explained users’ ability to delete, or prevent the setting of cookies at a later stage, was not sufficient to comply with French laws on consent. Consent must be obtained in advance.
In addition, when the user is informed of their ability to deactivate the collection of data by means of cookies, they must also be clearly informed of the consequences of doing so and in particular of any service malfunctions that may occur. However, the tribunal held that Google’s warning that deactivation could give rise to possible malfunctions of the services was given “for manifestly dissuasive purposes”, and was therefore not compliant.
Combining of data sets: The judges noted that there was a “real presumption of consumer consent” with regards to the combining and cross-referencing of Google’s different data sets. They flagged that users have the right to refuse the combining of their data in this way and the ability to revoke this combining at a later date is insufficient to comply with the French Data Protection Act.
- Users’ personal data do not belong to the data controller
The TGI ruled that the conclusion of the contract between Google and the user cannot be made conditional on the user granting Google a licence for all content, including personal data, imported, stored, sent and received by the user. In addition, the TGI ruled that the provision giving Google the right to modify or adapt users’ personal data in order to harmonize such data between different Google services (for example, by replacing “old names associated with your Google Account, so that you are presented in a consistent manner across all our services“) was also not permitted.
- Changes in privacy rules may sometimes require a new agreement
You will find the long version of our analysis in French here. We will be publishing a more detailed analysis of this case in English in due course.
 CNIL, Decisions No MED 2018-022 (TEEMO) and No MED 2018-023 (FIDZUP) of 25 June 2018, and decision No MED 2018-042 of 30 October 2018 (VECTAURY). It should be noted that these formal notices have been closed since then.
 See the CNIL Decision No SAN – 2019-001 of 21 January 2019 imposed a financial penalty against GOOGLE LLC, and our analysis of this decision.
 Decision No MED 2018-043 of 8 October 2018 (SINGLESPOT). To be noted that these formal notices have been closed since then.
 This is also the position recently adopted by the Advocate General of the Court of Justice of the European Union in his recent opinion delivered on 21 March 2019 in the “Planet49” case. See our analysis of this position.