By Matt Dumiak
France’s Supervisory Authority (CNIL) has fined Google $56.8 millions Euros for what the data protection watchdog believes is a violation by the multinational tech company on EU’s General Data Protection Regulation (GDPR). After receiving complaints based on ‘forced consent’ by Google from La quadrature du Net, a French digital rights advocacy group, and None of Your Business, a nonprofit organization led by Max Schrems (known for previous campaigns against Facebook for privacy violation), the CNIL started its investigation.
On the basis of its investigation, the CNIL established two types of breaches of the GDPR by Google that occur when new Android users set up a new phone and follow Android’s onboarding process.
They claim that Google is making its data collection policies too difficult to access and that the company failed to obtain specific user consent.
The CNIL notes two specific reasons, later covered in this document:
- A violation of the obligations of transparency and information.
- A violation of the obligation to have a legal basis for ads personalization.
This decision by the CNIL shows insight into how it was permitted to issue the fine despite Google’s European HQ being located in Dublin.
The GDPR establishes a “one-stop shop” mechanism, providing that, as a main rule, organizations carrying out cross-border personal data processing activities will only have to deal with one lead supervisory authority (the DPA of that Member State) in the future. Cross-border processing can be further understood through Article 4(23) of the GDPR.
The benefit of the one-stop shop mechanism is that controllers and processors will be able to collaborate with one DPA so that other “concerned DPAs” can also be involved when the processing in question affects individuals in their State.
The main establishment is further defined in Article 4(16) as:
“the place of central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;”
The word “unless” is key in identifying the Lead SA for Google, or the lack of. Google’s headquarters is in Ireland, so naturally one would think it constitutes as the “place of central administration in the Union.” Wrong. The CNIL concluded that the EU Google HQ does not have the final say when it comes to data processing during the creation of new users on the Android OS (Who does? Most likely Google’s HQ in California but decidedly not in Ireland). This means that the Google Ireland HQ cannot be considered as a main establishment within the meaning of Article 4(16).
The CNIL noted that the violations are “continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.”
As of now, the CNIL is the supervisory authority responsible for the matter; other SA’s across EU will not be able to issue fines for the same infractions. However, I would not be surprised if SA’s across EU are examining Google’s operations under a now heavily magnified GDPR lens.
As this is the largest fine issued under the GDPR, all Member States of the EU would be wise to pay close attention and be eager to exercise their powers. Google (and many other companies) would be even wiser to take a closer look than before on how the GDPR impacts their data processing and act quickly. Most certainly Google will appeal the fine which will provide more insight onto the situation and how clever Google’s lawyer can get in excusing Google’s actions. The $58.6 million fine is likely not a concern to Google. The real concern to Google is the changes it will be forced to make.
Matt Dumiak is Director of Privacy Services, Customer Engagement Compliance at CompliancePoint focused on U.S. and international direct marketing compliance regulations. He works with clients in a variety of industries and is dedicated to providing reliable and practical consulting services. Matt has earned a Certified Information Privacy Professional (CIPP/US) certification from the International Association of Privacy Professionals (IAPP), a Customer Engagement Compliance Professional (CECP) certification from the Professional Association for Customer Engagement (PACE), and has a B.S. in Economics from Georgia College.