France, CNIL, 21 January 2019 2019-001

Identification of the case

• Law No. 78-17 of 6 January 1978 on information technology, data files and civil liberties, in particular article 45
• Decree No. 2005-1309 of 20 October 2005, as amended, implementing Law no. 78-17 of 6 January 1978 on information technology, data files and civil liberties

• Council of Europe Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data.
• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and on the free movement of such data (GDPR)

Summary of the case

The CNIL (Commission nationale de l'informatique et des libertés) was seized for two collective complaints submitted in accordance with Article 80 of the GDPR, from associations criticized Google for not having a valid legal basis for processing the personal data of the users of its services, in particular for the purposes of advertising personalization.

The CNIL immediately began investigating these complaints. In accordance with the provisions on European cooperation set out in the Article 56 of the GDPR, the CNIL submitted these two complaints to its European counterparts via the European information exchange system with a view to designating a possible leading authority. Indeed, the GDPR establishes a "one-stop shop" mechanism which provides that a body established in the European Union must have as its sole interlocutor the authority of the country where its principal place of business is located. This protection authority then acts as the lead authority. As such, it must coordinate with other national data protection authorities before taking a decision.

• Administrative judicial enforcement

Public notice of fine (50 million euros).

In the present case, exchanges with other authorities, in particular the Irish data protection authority where Google's European headquarters are located, did not lead to the conclusion that Google had a principal place of business in the European Union. Indeed, at the date on which the CNIL began its proceedings, the Irish establishment did not have the power to decide on the processing implemented in the context of the Android operating system and the services provided by Google LLC in connection with the creation of a user account when configuring a mobile phone.

As the so-called "one-stop shop" system was not applicable, the CNIL, like all other protection authorities in the Union, was therefore competent to take decisions concerning the processing implemented by Google LLC with regard to article 55 Paragraph 1 and Article 56 Paragraph 1 of the GDPR. The CNIL considers that Google Ireland Limited cannot be considered as Google LLC.’s main establishment in Europe within the meaning of Article 4 (16) of the GDPR, where it has not been established that it has decision-making power over the processing covered by the privacy policy presented to the user on creation of their account when setting up their mobile phone with Android. In the absence of a main establishment allowing the identification of a lead authority, the CNIL was competent to initiate this procedure and to exercise all of its powers under Article 58 of the GDPR. It did so by applying the new European framework as interpreted by all European authorities in guidelines issued by the European Data Protection Committee.

In order to investigate the complaints submitted, the CNIL conducted an online audit. The objective was to verify the compliance with the Law No. 78-17 of 6 January 1978 on information technology, data files and civil liberties and with the GDPR, of the personal data processing carried out by Google, by analyzing the path of a user and the documents to which he can have access by creating a Google account when configuring his mobile device under Android.

On the basis of the investigations carried out, the CNIL found two series of breaches of the GDPR.

Firstly, a failure to comply with transparency and information obligations. The information provided by Google were not easily accessible to users, neither clear and understandable. There has been a breach of the transparency and information obligations as provided for by Articles 12 and 13 of the GDPR.

Secondly, a failure to have a legal basis for the personalization processing of advertising. Google relies on users' consent to process their data for the purpose of personalizing advertising. However, the consent is not validly collected for two reasons. First, user consent is not sufficiently informed. The information on such processing, diluted in several documents, does not allow the user to be aware of the extent of the processing. Second, the consent collected is not "specific" and "unambiguous".

On the breach of the obligation to have a legal basis for the processing implemented, the CNIL considers that the consent on which the company bases personalized advertising processing is not validly obtained as provided for in Article 6 of the GDPR.

The CNIL pronounced a financial penalty of 50 million euros against the company Google LLC in application of the GDPR for lack of transparency, unsatisfactory information and lack of valid consent for the personalization of advertising. The CNIL has made its decision public on the CNIL website and on the Légifrance website will be anonymised upon expiry of a period of two years.

Role of the Charter and role of the general principles on enforcement

Explicit reference to Article 6 ECHR