On January 21, 2019, the CNIL (the French data protection authority) issued a fine of €50 million to Google under the General Data Protection Regulation (the “GDPR”) for its failure to (1) provide notice in an easily accessible form, using clear language, when users configured their Android mobile device, and (2) obtain users’ consent to process personal data for ad personalization purposes. The CNIL’s enforcement action and resulting fine arose out of actions filed by two not-for-profit associations, None of Your Business and La Quadrature du Net. The fine was the first significant fine imposed by the CNIL under the GDPR and remains one of the highest fines to date. In determining the amount of the fine, the CNIL considered the fact that the violations related to essential principles under the GDPR (transparency and consent), the violations were continuing, the importance of the Android operating system in France, and the fact that the privacy notice presented to users covered a number of processing operations. Google appealed the decision.
On June 19, 2020, the highest administrative court in France, the Conseil d’Etat, upheld the CNIL’s decision and the €50 million fine. The court confirmed that Google had not provided sufficiently transparent notice to Android mobile device users about the processing of their personal data and had also failed to obtain valid user consent to ad personalization. As to transparency, the court noted that Google’s privacy notice did not provide the level of clarity and accessibility required by the GDPR.
The court noted that when a Google user wished to create an account to use the Android system, the user was asked to accept a general statement that included use of data for ad personalization purposes. The court noted that the information about ad personalization was general and mixed with information about various other processing activities. The court therefore determined that user consent to ad personalization did not meet the GDPR’s requirement that consent is specific, information, freely given and unambiguous.
As to the level of fine, the court stated that the level of the fine was proportionate given the gravity and ongoing nature of the violations. Further, and importantly, the court affirmed that the CNIL had jurisdiction to regulate Google at the time of the violations and fine. Google had argued that the Irish Data Protection Commission was its supervisory authority and its “one-stop-shop” for data protection issues. However, the court determined that at the time of the fine, Google’s Irish subsidiary did not control decisions in relation to the data processing activities of other Google subsidiaries. The GDPR’s “one-stop-shop” was therefore not available to Google at the relevant time and the CNIL had proper jurisdiction. This decision is an important statement that the GDPR’s vaunted one-stop shop mechanism, which enables companies to effectively forum shop for EU data protection regulators, must be appropriately supported by a company’s actual set up and place of decision making to be effective.