It only took hours for the first-ever GDPR complaint to be filed on 25 May 2018, with Google in the firing line. The investigation into the complaint concluded on 21 January 2019, and a decision was rendered: Google would be fined €50 million (approximately $57 million), the highest regulatory fine for a breach of EU data protection laws. The stark contrast to previous penalties — such as the £500,000 fine the U.K. Information Commissioner’s Office imposed on Facebook for the Cambridge Analytica scandal — shows that data protection authorities are more than ready to flex their new enforcement and fining powers.
The First-Ever GDPR Complaint
The complaint was filed by the two privacy rights groups None of Your Business (NOYB) and French Quadrature du Net (LQDN). In short, NOYB and LQDN complained that Google “forced” its users to provide consent to certain Google processing activities, particularly ads personalization.
Interestingly, the French data protection authority (CNIL) took the lead in the investigation, despite the fact that Google’s European HQ is in Ireland. Under the GDPR’s “one-stop-shop mechanism,” organizations with a “main establishment” in an EU country can identify that country’s data protection authority (DPA) as its lead authority. Consequently, that DPA becomes responsible for the company’s regulatory oversight. However, the CNIL, in association with the Irish DPA, decided that Google does not have a main establishment in the EU. The CNIL determined that Google’s European arm had no decision-making powers related to data processing: neither in relation to the operating system, Android, nor for processing that is part of a Google user’s account creation and set-up during the configuration of a mobile phone. According to the CNIL, such powers rest with Google LLC, Google’s U.S. arm, meaning that the “one-stop-shop-mechanism” did not apply to Google.
The CNIL’s Decision
After carrying out online inspections of Google’s processing operations throughout September 2018, the CNIL found that Google:
Did not have a legal basis for ads personalization processing because the “consent” relied upon was deficient in two respects:
- The consent was not sufficiently informed because the relevant information was spread across several documents and lacked certain key elements, such as the plurality of services involved and the amount of information processed and combined.
The CNIL justified the magnitude and publication of the fine on the basis of the severity of the infringement. According to the CNIL, Google breached “essential principles of the GDPR: transparency, information and consent.” It also highlighted that the breaches are continuous, and the important place the Android operating system occupies in the French market.
What This Means for Your Business
Some key takeaways of the CNIL decision and fine are:
- DPAs will, in appropriate circumstances, use their enhanced fining powers under GDPR — up to four percent of annual worldwide turnover or €20 million, whichever is greater. Furthermore, it is clear that at least with large and well-resourced organizations for whom processing is a key aspect of their business, DPAs will be prepared to focus on the words “whichever is greater.”
- For organizations with multiple EU establishments, be prepared to justify who your lead DPA is, being mindful that DPAs will consider exactly where the decision-making powers in relation to processing activities lie — and enforce accordingly.
- Where the GDPR applies to you, ensure your privacy policies are updated to GDPR standards.