France: Google’s €50 million fine upheld!

In May 2018, two European pressure groups – None Of Your Business and La Quadrature du Net – filed complaints to France’s data protection watchdog CNIL against Google LLC, claiming that offering a “take it or leave it” option to users when they sign up to the site was not enough to validly obtain consent for users and personalised ads. Just over 2 years later, following an initial sanction by the CNIL, we now have the outcome of Google’s appeal…

Gerrish Legal covered the high-profile case in February 2019, which saw the CNIL, France’s supervisory authority for data protection matters, impose a €50 million fine on Google – second only to British Airway’s massive £183 million GDPR breach fine.

Background

Following the complaints made by Noyb and La Quadrature du Net, the CNIL reviewed Google’s processes and agreed that two vital parts of the GDPR requirements were missing: that the uses of the data being processed are transparent, and that the legal basis is clear- and it issued Google with a €50 million fine. 

 This was not the largest amount the CNIL could have fined Google- it has the authority to fine up to 4% of annual turnover, which for Google would be almost €4 billion!

 When users sign up to Google they are presented with a privacy agreement, but information about Google’s processing of data was split over multiple documents, help pages and settings screens. This included links that needed to be used to read additional information, and some information was not available until up to 5 or 6 actions had been taken.  Even then, the information was not always clear and understandable. 

It was too difficult for users to understand the extent of data processing Google would carry out, especially since some of the processing was particularly lengthy and intrusive, some involving over 20 services that could be offered. In the section explaining data processing in relation to the customisation of ads for example, it was not clear sites and applications were involved- spanning from Youtube, to Googlemaps, to Playstore. 

Google additionally did not validly collect consent as it did not ask users to specifically opt in to ad targeting, but simply asked them to agree to Google’s terms and privacy policy in one single click.  When creating an account, the user did have the option to change some options (if they clicked the “more options” button!), however the personalisation of ads was checked by default. 

At the end of the process, users had to accept that their information would be used “as above”- the CNIL held that this does not count as collecting consent, as the consent is not “specific” or “unambiguous”, and consent had not been collected for each purpose.

The CNIL justified the massive fine on the basis that these violations are happening every day with people continuing to sign up to, and use the Google site. 

In a statement, Google claimed that they had worked hard to create a GDPR consent process that was “as transparent and straightforward as possible, based on regulatory guidance and user experience testing”.

After reviewing the case, the search engine unsurprisingly appealed the fine, claiming that French authorities had no jurisdiction over Google’s European headquarters and purposing that if imposed, the sanctions would affect “publishers, original content creators and tech companies in Europe and beyond”, which leads us up to the present day.

The outcome of Google’s appeal

On June 19th 2020, the Conseil D’Etat – France’s top court for administrative law – upheld the sanctions imposed by the CNIL, attesting that at the time the CNIL was well competent to impose such sanctions on Google and that they had correctly applied the key principles of the GDPR.

Google maintained that the architecture they had chosen aimed to inform users in a clear and intelligible manner in accordance with the European Data Protection Board, containing an initial level of “Confidentiality rules and conditions of use” whilst several hypertext links – “Confidentiality rules”; “More options”; “Regulations” and “Learn more” – facilitated users accessing more comprehensive information.

The Conseil D’Etat responded to this on three grounds:

Firstly, the initial level of information offered to users was judged to appear “excessively general in view of the extent of the processing carried out by the company, the degree of intrusion into the private life which they imply and the volume and nature of the data collected”.

Secondly, in order to access the essential and more specific data usage information, a user “must first perform three actions from the first level of information, before returning to the initial document and performing two new actions, for a total of five actions, while six actions are necessary to obtain exhaustive information regarding geolocation”.

Finally, the information itself was judged to sometimes be “incomplete or insufficiently precise”, in addition to the fact that the document relating to the conservation of data published by Google indicated that certain data may be kept “for long periods for specific reasons” without indicating either the purposes pursued or the data concerned.

In addition, the Conseil D’Etat upheld CNIL’s consideration that user consent was not validly collected for the processing of personalised ads, as consent was obtained by means of a tick-box that was checked by default, which did not comply with GDPR requirements.

Pulling these together, the Conseil D’Etat held that “the tree chosen by Google appears likely, by the scattering of information it organises, to harm the accessibility and the clarity of it for users” and upheld the violation of the information and transparency obligations defined by articles 12 and 13 of the aforementioned GDPR.

What now?

Well, for Google, they have got to pay the €50 million fine once it is registered to the National Commission for Data Protection. Frankly, they should consider this a light imposition, given that the CNIL can fine up to 4% of annual turnover.

But how about the bigger picture? Google’s aforementioned concern that the sanctions would affect “publishers, original content creators and tech companies in Europe and beyond” is true, to an extent. The decision clarifies the need for simplification of access to data usage information; five to six actions was considered too many here, so companies will need to implement as few actions as possible to ensure they are acting in-line with the GDPR.

However, providing users with data usage information has been of huge significance since the GDPR was implemented in May 2016.

Thus, the sanctions enforced here by the CNIL do not present issues as drastic as purposed by Google. Rather, company data trees must be “pruned”, reducing the number of branches a user must go down before they can access the information in its entirety. The precedent here is not one of drastic change, but one of simplification, which can only be positive in a climate where user rights are finally being balanced against those of companies and corporations.

As usual, if you want to discuss the contents of this article, or if you have any queries related to GPDR, data processing or consent requirements for your business, please do not hesitate to get in touch!

Article by Sam Holmes @ Gerrish Legal, July 2020 / Cover photo by Mitchell Luo on Unsplash