In 2019, the CNIL issued this significant fine against Google LLC, after finding that Google had failed to comply with the information, transparency and consent requirements set out in the GDPR in the context of its Android operating system. Google appealed the decision before the Conseil d'Etat, which finally dismissed the appeal on 19 June this year.
This ruling enshrines what remains the biggest GDPR fine imposed by a European data protection authority to date.
1. Inapplicability of the one-stop-shop mechanism to Google
Google's first line of defence was to argue that the CNIL was not competent to issue a fine against it.
Indeed, Google LLC (an American company) argued that its main establishment in Europe was located in Ireland, and that the Irish data protection authority should therefore be solely competent to issue a fine against Google in application of the "one-stop-shop mechanism" laid out in the GDPR.
However, the Conseil d'Etat noted that, at the time of the CNIL's investigation and decision:
the Android operating system was entirely developed and exploited by Google LLC in the United States, and
Google Ireland did not have any control over Google's other European subsidiaries and thus could not be seen as Google LLC's central administration in Europe;
Google Ireland did not have any decision-making power over the processing of personal data implemented by Google LLC via the Android operating system.
The Conseil d'Etat therefore concluded that Google did not have a "main establishment" in Europe, within the meaning of the GDPR, at the time of the CNIL's decision. Consequently, the one-stop-shop mechanism did not apply and the CNIL was indeed competent to assess whether the processing of personal data relating to French Android users was made in compliance with French data protection rules.
2. GDPR breaches: the CNIL's initial findings validated by the Conseil d'Etat
In 2019, the CNIL sanctioned Google for the breach of two requirements under the GDPR, namely: a failure to inform its users properly and to comply with the transparency principle on the one hand, and a failure to demonstrate a valid legal basis for targeted advertising processing on the other hand.
3. Insufficient information and lack of transparency
In its decision of 19 June 2020, the Conseil d'Etat agreed with the CNIL that the overall approach chosen by Google LLC to inform its users on the processing of their personal data was inadequate in that it did not enable the users to easily access this information and this information was not clear enough.
Indeed, Google chose a layered approach to provide the required information, meaning that the data subjects were provided with a first layer of information and had to click on several links in order to access more detailed information on specific aspects of the processing.
The Conseil d'Etat considered the first layer of information provided by Goole to be too general, given the importance of the processing activities, their intrusiveness in the data subject's privacy, as well as the volume and nature of the data that was processed.
It also noted that some essential information was too difficult to access and at times required the data subjects to take multiple actions (e.g. to click on several links) before they could access the information. In addition, this information was at times deemed insufficient by the court.
It is worth highlighting however that the Conseil d'Etat does not question the validity of the layered-approach as a means of informing the data subjects in accordance with the GDPR. In fact, it emphasizes that the CNIL never required that an exhaustive list of all the mandatory information be provided in the first layer of information. However, this case does show that controllers who adopt such a layered-approach must ensure that the first layer of information does provide the data subjects with clear information at least on the topics that are deemed "essential" by the CNIL from the start. Unfortunately, the Conseil d'Etat does not provide further insight as to how controllers should proceed in order to comply with this information requirement when they opt for a layered-approach.
4. Invalid consent
Concerning the processing of personal data for targeted advertising purposes, the CNIL had sanctioned Google for failing to obtain valid consent for such processing. The Conseil d'Etat confirmed the CNIL's findings and agreed that Google did indeed fail to obtain valid consent for this processing activity on the grounds that:
The diluted and overly general nature of the information provided to data subjects meant that consent was not sufficiently informed and therefore was not valid; and
- The use of a pre-ticked box to obtain consent does not meet the GDPR requirements because consent must be based on a "clear affirmative action" of the user (such as actively ticking a box), as opposed to a passive action (such as leaving a pre-ticked box ticked).
5. A proportionate fine
Lastly, Google had argued that the fine issued by the CNIL was disproportionate. This argument was also dismissed by the Conseil d'Etat, which ruled that the fine was proportionate in light of the seriousness of the GDPR breaches, the caps for administrative fines provided for under the GDPR and Google's financial situation.
6. The end of the road for Google in France?
In this decision, the Conseil d'Etat upheld all the points that were made by the CNIL in its decision of 2019 to issue a 50 million euro fine against Google.
It is interesting to note that in its pleadings, Google requested that, should the Conseil d'Etat refuse to overturn the CNIL's decision, the matter would be referred to the Court of Justice of the European Union ("CJEU") to ask two preliminary questions (one on the one-stop-shop mechanism and the other on consent). However, the Conseil d'Etat ruled that there was no need to refer to the CJEU and dismissed Google's request entirely. It would therefore appear that the French court has put an end to Google's proceedings.
Sign up to our email digest