The French supervisory authority, the Commission Nationale de l'Informatique et des Libertés (CNIL), has imposed a fine of no less than € 50 million on Google for infringing the GDPR, in particular for a lack of transparency, insufficient information to the data subject and for the lack of valid consent to personalise advertising. What should companies remember from this CNIL decision?
Following complaints from two interest groups, the CNIL had created a Google account in September 2018 when configuring a mobile phone with the Android operating system. Two infringements were found by CNIL.
The CNIL notes as a first infringement that essential information, such as the purposes for which the data are processed, the duration of the retention of the data or the categories of data used to personalise advertising, are too widely distributed in various documents, which contain buttons and links that must be clicked to access additional information.
According to the CNIL, relevant information is only accessible after a number of steps, sometimes with a maximum of five or six actions. This is the case, for example, when a user wants to have complete information about collecting their information for the purpose of personalising advertisements or geolocation.
When creating a Google account, according to the CNIL, the purposes described are too general and vague, as well as the data processed for these different purposes. The user would therefore not be able to understand the scope of the processing carried out by Google. These are large and significant because of the number of services offered (at least 20) and the quantity and nature of the data processed and combined.
The second infringement concerns the user's consent to the personalisation of advertising. According to the CNIL, when creating a Google account, it is not sufficiently clear that consent is the legal basis rather than Google's legitimate interest. The CNIL states that the consent, on the one hand, is not sufficiently informed and, on the other hand, that the consent obtained is not specific and unambiguous.
According to the CNIL, the user does not sufficiently understand to what he consents because the information is spread over several documents. As a result, the user would not be aware of the scope of his consent which covers a multitude of services, such as Google search, Youtube, Google home, Google maps, Playstore, and Google photos.
When creating a Google account, the user can change a number of parameters, but only after the user has clicked on "more options" before creating an account. Moreover, the display modes of personalised ads are preset, while the GDPR requires a positive action from the user in order to speak of a specific and unambiguous consent.
Finally, before creating an account, the user is asked to tick the boxes "I accept Google's terms of use" and "I agree that my information may be used as described above and in the privacy policy" to create their Google account. According to the CNIL, such a process leads to the user giving his consent for all the purposes Google pursues (personalisation of advertising, speech recognition, etc.), whereas consent is specific only if it is given for each individual purpose.
Before the CNIL initiated its investigation, it first examined its competence. One of the advantages of the GDPR for companies, and especially for multinationals, is the so-called one-stop shop mechanism. According to this mechanism, in the case of cross-border processing, companies are only subject to the supervisory authority of their main establishment in the EU. The purpose of the one-stop shop mechanism is to avoid conflicts between decisions of supervisory authorities.
Like several other multinationals, Google has its headquarters in Ireland. This would mean that only the Irish supervisory authority would be competent for Google's cross-border processing in the EU. In principle, the Irish authority should be Google's interlocutor.
However, the CNIL states that the Irish establishment did not have any decision-making power over Google's cross-border processing activities at the time CNIL initiated its proceedings. It is therefore competent, as are all the other national supervisory authorities, according to the CNIL.
For companies it is important to remember from the decision of the CNIL that:
For the time being, it remains to be seen how Google will react to this GDPR fine, but in the meantime you can read the decision of the CNIL in full here (in French).