On June 19, 2020, France’s Highest Administrative Court (“Conseil d’Etat”) upheld the decision of the French Data Protection Authority (the “CNIL”) to impose a €50 million fine on Google LLC (“Google”) under the EU General Data Protection Regulation (the “GDPR”) for its alleged failure to (1) provide notice in an easily accessible form, using clear and plain language, when users configure their Android mobile devices and create Google accounts, and (2) obtain users’ valid consent to process their personal data for ad personalization purposes. Google had appealed this decision before the Conseil d’Etat. Because the Conseil d’Etat hears cases on appeal from the CNIL in both the first and last instances, the CNIL’s fine is now final. This fine against Google was the first fine imposed by the CNIL under the GDPR and is the highest fine imposed by an EU supervisory authority under the GDPR to date.
The CNIL’s enforcement action was the result of collective actions filed in May 2018 by two not-for-profit associations—None Of Your Business (“NOYB”) from Austria and La Quadrature du Net (“LQDN”) from France. On June 1, 2018, the CNIL shared these two complaints with other EU data protection supervisory authorities with a view toward designating a lead supervisory authority in accordance with Article 56 of the GDPR. On September 21, 2018, the CNIL nevertheless undertook an online inspection to assess whether the processing activities carried out by Google in the context of its Android operating system complied with the French Data Protection Act and the GDPR.
As a result of its investigation, the CNIL asserted that Google had failed to (1) comply with the transparency and notice requirements of the GDPR, and (2) obtain valid consent from users. With respect to the transparency and notice requirements, the CNIL believed that the information provided to users when creating a Google account was not always clear and easily accessible. In particular, the CNIL found that essential information about the data processing (such as the purposes, the data retention periods or the types of personal data processed for ad personalization) was spread across several pages, and that users sometimes needed to complete up to six actions to obtain that information. In addition, the CNIL asserted that the description of some information was too vague and did not allow users to understand the extent of the data processing carried out by Google. With respect to consent, the CNIL found that users’ consent was not validly obtained for the processing of their personal data for ad personalization purposes. In particular, the CNIL noted that consent was obtained via a checkbox that was pre-checked by default. The CNIL’s Restricted Committee therefore decided to impose a fine, but addressed its decision to Google France SARL in order to enforce its decision.
On May 16, 2019, Google appealed that decision before the Conseil d’Etat, arguing irregularities on the grounds that (1) Google’s main establishment in the EU is located in Ireland for purposes of the GDPR’s one-stop-shop mechanism, and the Irish Data Protection Commissioner was competent to supervise Google’s EU data processing activities, and (2) the CNIL did not properly apply the GDPR’s cooperation and consistency procedures, particularly with respect to its failure to consult the European Data Protection Board (“EDPB”). Google further argued that the CNIL committed errors of law in (1) finding violations of the GDPR transparency and consent requirements, and (2) imposing a disproportionate fine of €50 million on Google, without taking into account all of the assessment criteria provided for in Article 83(2) of the GDPR. Google also requested that the Conseil d’Etat refer questions to the European Court of Justice for a preliminary ruling and stay the proceedings pending the European Court of Justice’s ruling. The Conseil d’Etat refused to refer questions to the European Court of the Justice and rejected Google’s arguments.
The CNIL’s Jurisdiction over Google’s Processing Activities
The Conseil d’Etat found that, on the date of the CNIL’s decision, Google’s Irish affiliate, Google Ireland Limited, could not be considered Google’s place of central administration in the EU and its main establishment for the purposes of the GDPR’s one-stop-shop mechanism because: (1) it was not established that Google Ireland exercised direction or control over the other European affiliates of Google at that time so that Google Ireland could be considered Google’s place of central administration in the EU, and (2) the investigation showed that Google solely determined the purposes and means of the data processing activities in question and Google Ireland did not have decision-making power in that respect but had taken on new responsibilities concerning the data processing activities after the date of the CNIL’s decision. Accordingly, the Conseil d’Etat concluded that the one-stop-shop mechanism was not applicable on the date of the CNIL’s decision, and the CNIL was competent to investigate the complaints filed by NOYB and LQDN and impose a sanction for Google’s processing of personal data relating to French users of the Android operating system.
The Conseil d’Etat further found that, when in June 2018 the CNIL shared NOYB’s and LQDN’s complaints with other EU supervisory authorities with a view toward designating a lead supervisory authority, no other EU supervisory authority chose to refer the matter to the EDPB, nor did they indicate that they had divergent views from those of the CNIL with respect to the absence of a main establishment of Google in the EU. In addition, the Conseil d’Etat noted that in August 2018, the Irish Data Protection Commissioner publicly stated that it was not Google’s lead supervisory authority in the absence of decision-making powers of Google Ireland over the data processing activities carried out by Google in the EU. In the absence of divergent views, and since the investigation of the complaints did not fall within any of the circumstances triggering a referral to the EDPB pursuant to Articles 64 and 65 of the GDPR, the Conseil d’Etat concluded that the CNIL did not need to refer the matter to the EDPB.
The Conseil d’Etat confirmed the analysis of the CNIL with respect to both the implementation of the transparency and notice requirements, and obtaining users’ valid consent for the processing of their personal data for ad personalization.
The CNIL’s Sanction
Article 83(2) of the GDPR provides a list of criteria EU supervisory authorities are expected to use in the assessment of whether a fine should be imposed and the amount. In that respect, Google claimed that the CNIL’s decision did not state sufficient reasons because the CNIL did not comment on all of the criteria of Article 83(2) of the GDPR and did not explain how the amount of the fine was calculated.
The Conseil d’Etat rejected those arguments, considering that the requirement that the CNIL’s decisions be duly reasoned implies that the CNIL must explain only the considerations on which its decision is based. According to the Conseil d’Etat, the CNIL did not need to state reasons for its decision with respect to all of the criteria of Article 83(2) of the GDPR. Furthermore, the Conseil d’Etat found that there is no legal provision requiring the CNIL’s Restricted Committee to explain how the fine is calculated, and the CNIL’s decision did not need to provide figures in that respect.
Finally, the Conseil d’Etat found that the fine was not disproportionate given the gravity of the alleged infringements, the fact that they were still occurring at the time of the CNIL’s decision, the length of time they persisted, the maximum limits for fines provided by the GDPR and Google’s financial strength. The Conseil d’Etat concluded that there was no need to refer questions to the European Court of Justice for a preliminary ruling and dismissed Google’s appeal, thereby upholding the CNIL’s decision.
View the Conseil d’Etat’s decision (currently only available in French).