And So It Begins: France Fines Google $57 Million for Violating GDPR

On January 21, 2019, France’s data privacy agency, the National Data Protection Commission (CNIL) announced that it was issuing a €50 million fine against Google, Inc. for violating the new EU General Data Protection Regulation (GDPR).  This is the first enforcement action under the new penalty ranges of the GDPR and the first GDPR enforcement action against a U.S.-based company.  It signals a shift to a new phase of GDPR enforcement.  Since the GDPR came into effect on May 25, 2018, data protection agencies in EU member states have been flooded with complaints and investigating possible violations and data breaches by companies that fall within the GDPR’s expansive jurisdiction.  This enforcement action, which targets deficiencies in how a U.S. company has complied with the GDPR, helps to explain the investigative methods and enforcement calculus of EU data protection agencies.

Of course Google plans to appeal the fine before the Council of State, the top administrative court in France.  The appeal decision will likely provide further insight into how U.S. companies should address GDPR concerns.

The Violations

Specifically, CNIL claims that Google violated the GDPR in the following ways:

  • (1) Transparency and Information Disclosure Violations
    • Information on how Google users’ data is collected and processed was not easily accessible to users, sometimes requiring a user to click five or six links before arriving at the relevant portion of Google’s privacy policies.
    • The information did not clearly communicate the extent of processing operations carried out by Google on users’ data or the lawful bases for certain processing activities.
    • The information was not sufficiently comprehensive, and often relied on generic and vague descriptions of the data processing activities.  Some information, such as the amount of time that data would be retained, was simply not provided for some data.
  • (2) Consent Violations
    • Google failed to obtain sufficiently informed consent from its users to process data for the personalization of advertisements.
    • The “consent” check-box for ad personalization was pre-ticked, meaning that users needed to opt-out of this setting.
    • Google required users to “bundle” their consent by agreeing either to all or none of Google’s data processing activities, instead of requesting specific consent for each set of data operations.

This enforcement action resulted from an investigation by CNIL into how Google obtains consent, discloses information, and then collects and processes data with respect to the creation of a Google account when configuring a mobile phone using Android.  Accordingly, CNIL and other regulatory bodies may still have room to investigate and pursue actions against Google for other GDPR violations related to various other Google services and products.  As more information becomes public, we will provide additional updates regarding CNIL’s Google decision and any other enforcement actions that may implicate GDPR compliance issues for U.S.-based associations.

The Jurisdictional Issue

It is important to remember that while the GDPR is an EU-wide regulation, it is administered, enforced, and regulated at the member state level.  Accordingly, each member state has one (or more) data protection agencies, called “supervisory authorities.”  The GDPR envisaged scenarios where particular GDPR violations may impact individuals across member state borders, and set forth procedures for determining a “lead” supervisory authority that would coordinate investigations and allegations regarding cross-border processing by any non-compliant controller or processor. 

As relevant here, Article 56(a) of the GDPR states that the “the supervisory authority of the main establishment or of the single establishment of the controller or processor shall be competent to act as lead supervisory authority for the cross-border processing carried out by that controller or processor.”  Article 60 of the GDPR contains the specific procedures for the lead supervisory authority to coordinate investigations and enforcement actions between various member state agencies.  These procedures include some controls to ensure that agencies act in a unified and consistent manner with their investigations and enforcement actions.

Importantly, in this case, Google, Inc. has an entity located in the EU, in Ireland.  However, to qualify as “the main establishment” under the GDPR, the establishment must have some decision-make power or relation to the processing activities at issue.  Here, Google’s Ireland entity did not have decision-making power for the processing operations involved with setting up a Google account on a new mobile phone.  Accordingly, CNIL, and other member state authorities, were authorized to pursue their investigations and enforcement actions against Google’s U.S. headquarters independently of one another with no “lead” supervisory authority coordination.

This procedural curiosity may detract further from any predictability when it comes to GDPR investigations and enforcement actions.  Even if a U.S. company falls within the GDPR because of an existing EU establishment (e.g., an affiliate, subsidiary, or local agent) in one member state – the U.S. company may be targeted by various independent investigations and penalties from separate member states with no coordination or consistency.  On the one hand, this may result in a U.S. company responding to multiple redundant investigations all at once, elevating already expected high costs, and receiving numerous inconsistent enforcement actions.  On the other hand, it may mitigate the possibility that member states all pile on every time an investigation is initiated by a lead authority.

The Lessons

CNIL’s list of Google’s violations in this case provides some insight on how to interpret the GDPR’s rules.

Make Sure the Information in Your Privacy Policies is Accessible, Clear, and Complete

Ever since the GDPR was ratified, experts have warned about the difficulty in reconciling the obligations for (1) clear and concise communication and (2) comprehensive disclosure.  According to CNIL, Google failed on both counts.

First, CNIL found that the descriptions of the data were too vague and generic.  CNIL took particular issue with the fact that Google did not clarify that data processing for ad personalization purposes was based on user consent rather any legitimate interest of the company.  And, in some cases, CNIL noted that Google failed to provide the relevant information altogether.  Specifically, CNIL observed that Google did not provide a retention period for some data.

Second, CNIL notes that Google failed to clearly and concisely communicate information on how it processes, collects, and retains data.  Indeed, CNIL states that “the general structure of the information chosen by [Google] does not . . . comply with the regulation.”  CNIL found that users had to click too many links in the Privacy Policy to access relevant information, sometimes requiring 5 or 6 clicks.  Rather than being comprehensive and user-friendly, CNIL found that this approach made relevant information “not easily accessible.”

These complaints underscore the importance of drafting Privacy Policies to communicate the required information in a clear and concise manner.  They also suggest that splitting the policy into bite-size webpages or segments or using vague, oversimplified language may be more harmful than helpful.

The lessons so far from the Google case for Privacy Policy drafting are:

  • (1) Make Sure Users Can Easily Find Information
    • Use clear headlines
    • Do not split up information into too many “bite-size” pieces
    • Do not make the user click too many “learn more” or “more information” links
    • If your policy is long – consider a table of contents
  • (2) Do Not Use Vague and Generic Terms
    • Be clear on why and how data is collected and used
  • (3) Include Information on the Applicable Retention Period for Collected Data

Do Not Bundle Consent or Use Pre-Ticked (Opt-Out) Boxes

CNIL’s second set of complaints against Google concerned how Google obtained consent from its users. 

First, CNIL accused Google of essentially integrating “pre-ticked” boxes of consents into the Settings and More Options menus.  As a result, users need to review their settings and advanced options in order to clarify that they do not consent to certain ad personalization processing operations.  According to CNIL, this means that users’ consent is not sufficiently informed. 

Second, CNIL observed that Google bundled user consent to the Privacy Policy in one pre-ticked box stating “I agree to the processing of my information as described above and further explained in the Privacy Policy.” 

Companies must ensure that they obtain separate consent for each set of processing operations that require consent under the GDPR.  See Article 7, GDPR.  Additionally, the GDPR’s high standard for consent requires that the consent be unambiguous and affirmative.  For this reason, “pre-ticked” consent boxes are treated as a per se violation of the GDPR.  These are fundamental rules under the GDPR, so CNIL’s second set of accusations are no surprise.

The issue of handling consent in settings or options configurations, however, highlights the importance of “Privacy-by-Design.”  Many features that were previously conceived of as settings or options may now be privacy decisions that need to be made by the user up-front.  Accordingly, applications and systems need to restructure the placement, defaults, and accessibility for setting and options that deal with how personal data is collected, used, or retained.

The lessons so far from the Google case regarding consent issues are:

  • (1) Do Not Bundle Consents
  • (2) Do Not Use “Pre-Ticked” Boxes
  • (3) Make Sure Consent Issues Are Addressed Up-Front, not in Settings and More Options Menus

Conclusion

CNIL’s observations here were not surprising.  Nonetheless, the fact that CNIL independently issued a €50 million fine against Google demonstrates that supervisory authorities, at least in France, are willing to penalize U.S. companies for GDPR violations.  We will be watching the Google appeal process closely, and in the meantime, we will report on situations where supervisory authorities begin to fine U.S. companies for unclear privacy policies and pre-ticked or bundled consent boxes.

If you have any questions regarding GDPR compliance, please feel free to contact Oliver Krischik at (202) 342-5266 or okrischik@gkglaw.com.

Copyright © 2024. All Rights Reserved.