The Council of State confirms the sanction imposed on Google LLC
On 21 January 2019, the CNIL imposed a €50 million sanction on Google LLC and decided to make its decision public. The Council of State (Conseil d'État) dismissed the request against it and validated the CNIL's decision, thus confirming the proper application of the key principles of the GDPR.
On January 21, 2019, the CNIL imposed a fine of 50 million euros on Google LLC for lack of transparency, unsatisfactory information and lack of valid consent for ads personalisation.
Following complaints filed by the associations La Quadrature du Net and None of your business (NOYB) in May 2018, the CNIL investigated the processing of personal data by Google LLC. It has thus analysed the path of a user when creating a Google account from a phone running the Android operating system.
On the basis of these investigations, the CNIL found two main breaches of the GDPR:
- First, the CNIL considered that the information provided to the user when creating an account was not always clear and easily accessible. In particular, the Commission noted that essential information (on purposes, retention periods or data categories for ads personalisation) was scattered over several pages and that the user sometimes had to perform up to six actions to access it. Furthermore, the Commission noted that the information made available by Google was too vaguely worded, which did not allow users to understand the extent of Google's processing. Indeed, the CNIL pointed out that users' data were collected from many services such as Gmail, Google Maps or YouTube, which had the effect of making the processing massive and intrusive.
- Then, the CNIL considered that the consent of users was not validly collected for processing relating to ads personalisation. It noted that consent was collected by means of a default pre-checked box, which was not in compliance with the requirements of the GDPR.
This sanction remains, to this day, the most important sanction in Europe issued by data protection authorities.
Following a request by Google LLC to invalidate the sanction, the Council of State, in its decision of 19 June 2020, validated the CNIL's decision. It thus confirms a proper application of the key principles of the GDPR.
The Council of State therefore considers that, at the relevant time, the CNIL was indeed competent to sanction Google, since the decisions in question were not taken by its Irish establishment but by Google LLC, a company established in the United States. It follows that the "one-stop shop" mechanism provided for by the GDPR was not applicable and that the CNIL had jurisdiction to sanction the company. It did so by applying the new European framework as interpreted by all European authorities in the guidelines of the European Data Protection Board.
It also confirms that the CNIL has correctly applied the key principles of the GDPR relating to transparency, information to users and the need for valid consent for ads personalisation. The Council of State considers that the Google’s breaches noted by the CNIL are constituted.
The Council of State therefore validated the CNIL's requirements in terms of transparency and lawfulness when faced with massive and intrusive processing.