Faegre Drinker Biddle & Reath LLP, a Delaware limited liability partnership | This website contains attorney advertising.
January 24, 2019

Google Alert! First-Ever GDPR Complaint Ends in Record-Breaking Fine

It only took hours for the first-ever GDPR complaint to be filed on 25 May 2018, with Google in the firing line. The investigation into the complaint concluded on 21 January 2019, and a decision was rendered: Google would be fined €50 million (approximately $57 million), the highest regulatory fine for a breach of EU data protection laws. The stark contrast to previous penalties — such as the £500,000 fine the U.K. Information Commissioner’s Office imposed on Facebook for the Cambridge Analytica scandal — shows that data protection authorities are more than ready to flex their new enforcement and fining powers.

The First-Ever GDPR Complaint

The complaint was filed by the two privacy rights groups None of Your Business (NOYB) and French Quadrature du Net (LQDN). In short, NOYB and LQDN complained that Google “forced” its users to provide consent to certain Google processing activities, particularly ads personalization.

Interestingly, the French data protection authority (CNIL) took the lead in the investigation, despite the fact that Google’s European HQ is in Ireland. Under the GDPR’s “one-stop-shop mechanism,” organizations with a “main establishment” in an EU country can identify that country’s data protection authority (DPA) as its lead authority. Consequently, that DPA becomes responsible for the company’s regulatory oversight. However, the CNIL, in association with the Irish DPA, decided that Google does not have a main establishment in the EU. The CNIL determined that Google’s European arm had no decision-making powers related to data processing: neither in relation to the operating system, Android, nor for processing that is part of a Google user’s account creation and set-up during the configuration of a mobile phone. According to the CNIL, such powers rest with Google LLC, Google’s U.S. arm, meaning that the “one-stop-shop-mechanism” did not apply to Google.

The CNIL’s Decision

After carrying out online inspections of Google’s processing operations throughout September 2018, the CNIL found that Google:

  • Did not have a legal basis for ads personalization processing because the “consent” relied upon was deficient in two respects:
    • The consent was not sufficiently informed because the relevant information was spread across several documents and lacked certain key elements, such as the plurality of services involved and the amount of information processed and combined.
    • The consent was neither “specific” nor “unambiguous” — Google used pre-ticked boxes to gain customer consent to display personalized advertisements (and therefore failed to meet the unambiguous test) and, before creating an account, users were asked to give their consent in full to all the processing described in the privacy policy, rather than on a specific and granular basis for each feature.
  • Fell short of its GDPR transparency and information responsibilities by having a privacy policy that, among other shortcomings, was unclear, vague (particularly in disclosing its processing purposes and the categories of information processed for these purposes), not comprehensive and difficult to navigate.

The CNIL justified the magnitude and publication of the fine on the basis of the severity of the infringement. According to the CNIL, Google breached “essential principles of the GDPR: transparency, information and consent.” It also highlighted that the breaches are continuous, and the important place the Android operating system occupies in the French market.

What This Means for Your Business

Some key takeaways of the CNIL decision and fine are:

  1. DPAs will, in appropriate circumstances, use their enhanced fining powers under GDPR — up to four percent of annual worldwide turnover or €20 million, whichever is greater. Furthermore, it is clear that at least with large and well-resourced organizations for whom processing is a key aspect of their business, DPAs will be prepared to focus on the words “whichever is greater.”
  2. For organizations with multiple EU establishments, be prepared to justify who your lead DPA is, being mindful that DPAs will consider exactly where the decision-making powers in relation to processing activities lie — and enforce accordingly.
  3. If your business relies on “consent” as a legal basis for processing, ensure that you meet the GDPR’s threshold for valid consent. Be specific — do not bundle consents and do not expect a general consent to a privacy policy to be sufficient.
  4. Where the GDPR applies to you, ensure your privacy policies are updated to GDPR standards.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.