Insights and Events
Filter your search:
Filter your search:
最新
January 24, 2019

Google Alert! First-Ever GDPR Complaint Ends in Record-Breaking Fine

Download
Authors: Huw Beverley-Smith , Jonathon A. Gunn , Hans-Christian Mehrens

It only took hours for the first-ever GDPR complaint to be filed on 25 May 2018, with Google in the firing line. The investigation into the complaint concluded on 21 January 2019, and a decision was rendered: Google would be fined €50 million (approximately $57 million), the highest regulatory fine for a breach of EU data protection laws. The stark contrast to previous penalties — such as the £500,000 fine the U.K. Information Commissioner’s Office imposed on Facebook for the Cambridge Analytica scandal — shows that data protection authorities are more than ready to flex their new enforcement and fining powers.

The First-Ever GDPR Complaint

The complaint was filed by the two privacy rights groups None of Your Business (NOYB) and French Quadrature du Net (LQDN). In short, NOYB and LQDN complained that Google “forced” its users to provide consent to certain Google processing activities, particularly ads personalization.

Interestingly, the French data protection authority (CNIL) took the lead in the investigation, despite the fact that Google’s European HQ is in Ireland. Under the GDPR’s “one-stop-shop mechanism,” organizations with a “main establishment” in an EU country can identify that country’s data protection authority (DPA) as its lead authority. Consequently, that DPA becomes responsible for the company’s regulatory oversight. However, the CNIL, in association with the Irish DPA, decided that Google does not have a main establishment in the EU. The CNIL determined that Google’s European arm had no decision-making powers related to data processing: neither in relation to the operating system, Android, nor for processing that is part of a Google user’s account creation and set-up during the configuration of a mobile phone. According to the CNIL, such powers rest with Google LLC, Google’s U.S. arm, meaning that the “one-stop-shop-mechanism” did not apply to Google.

The CNIL’s Decision

After carrying out online inspections of Google’s processing operations throughout September 2018, the CNIL found that Google:

  • Did not have a legal basis for ads personalization processing because the “consent” relied upon was deficient in two respects:
    • The consent was not sufficiently informed because the relevant information was spread across several documents and lacked certain key elements, such as the plurality of services involved and the amount of information processed and combined.
    • The consent was neither “specific” nor “unambiguous” — Google used pre-ticked boxes to gain customer consent to display personalized advertisements (and therefore failed to meet the unambiguous test) and, before creating an account, users were asked to give their consent in full to all the processing described in the privacy policy, rather than on a specific and granular basis for each feature.
  • Fell short of its GDPR transparency and information responsibilities by having a privacy policy that, among other shortcomings, was unclear, vague (particularly in disclosing its processing purposes and the categories of information processed for these purposes), not comprehensive and difficult to navigate.

The CNIL justified the magnitude and publication of the fine on the basis of the severity of the infringement. According to the CNIL, Google breached “essential principles of the GDPR: transparency, information and consent.” It also highlighted that the breaches are continuous, and the important place the Android operating system occupies in the French market.

What This Means for Your Business

Some key takeaways of the CNIL decision and fine are:

  1. DPAs will, in appropriate circumstances, use their enhanced fining powers under GDPR — up to four percent of annual worldwide turnover or €20 million, whichever is greater. Furthermore, it is clear that at least with large and well-resourced organizations for whom processing is a key aspect of their business, DPAs will be prepared to focus on the words “whichever is greater.”
  2. For organizations with multiple EU establishments, be prepared to justify who your lead DPA is, being mindful that DPAs will consider exactly where the decision-making powers in relation to processing activities lie — and enforce accordingly.
  3. If your business relies on “consent” as a legal basis for processing, ensure that you meet the GDPR’s threshold for valid consent. Be specific — do not bundle consents and do not expect a general consent to a privacy policy to be sufficient.
  4. Where the GDPR applies to you, ensure your privacy policies are updated to GDPR standards.

作者

Photo of Huw Beverley-Smith
Huw Beverley-Smith

Partner

+44 (0) 20 7450 4551
London
Photo of Jonathon A. Gunn
Jonathon A. Gunn

Associate

+44 (0) 20 7450 4512
London
Photo of Hans-Christian Mehrens
Hans-Christian Mehrens

Associate

+44 (0) 20 7450 4531
London

Related Legal Services

Corporate International International Transactions

Suggested Reading

最新 December 2018

In or Out? EDPB Publishes Much-Awaited Guidance on GDPR’s Territorial Scope

12 min read  
最新 August 2018

International Data Transfers: EU and Japan Sign Reciprocal Agreement for Free Flow of Personal Data

7 min read  
最新 July 2018

GDPR’s Second Month - Privacy Shield, the Politics of Transatlantic Data Flows and Regulatory Enforcement

7 min read  
最新 June 2018

GDPR Rounds Its First Month: Takeaways From the GDPR's First 30 Days

9 min read  
The Faegre Baker Daniels website uses cookies to make your browsing experience as useful as possible. In order to have the full site experience, keep cookies enabled on your web browser. By browsing our site with cookies enabled, you are agreeing to their use. Review Faegre Baker Daniels' cookies information for more details.