CE - N° 430810

From GDPRhub
Revision as of 16:20, 8 July 2020 by Hugo (talk | contribs) (→‎On jurisdiction: clearer explanation of the rationale by the conseil d'etat)
CE - N° 430810
Conseil D'Etat photo.png
Court: CE (France)
Jurisdiction: France
Relevant Law: Article 6(1)(a) GDPR
Article 12 GDPR
Article 13 GDPR
Decided: 19.06.2020
Published: 19.06.2020
Parties:
National Case Number/Name: N° 430810
European Case Law Identifier:
Appeal from: CNIL
CNIL-SAN-2019-001
Appeal to: Unknown
Original Language(s): French
Original Source: Conseil d'Etat (in French)
Initial Contributor: n/a

Conseil d'Etat confirms CNIL's decision to impose a fine of 50 million € on Google for non transparent privacy policy and lack of valid consent to provide personalised ads.

English Summary

Facts

CNIL issued a fine of € 50 million against Google after two complaints filed by noyb and La Quadrature du Net on the basis of lack of transparency of the privacy policy and the lack of valid legal basis to process the data. Google appealed the decision of the CNIL on several grounds, including the lack of competence of the CNIL since Google would have its main establishment in Ireland.

Dispute

Holding

The Conseil d'Etat confirmed the decision of the CNIL in all points and considered that the CNIL was competent to deal with the case since Google did not have a main establishment in the EU at the time of the decision of the CNIL. The Conseil d'Etat also confirmed that Google's privacy policy was not sufficiently transparent since the information was disseminated throughout several documents and was not easily accessible. The Conseil d'Etat also confirmed that the consent obtained by Google was not valid since it was not sufficiently informed and specific (the users had to accept all processing operations without the possibility to refuse specific processing operations in the first layer of information). Fianlly, the Conseil d'Etat confirmed that the fine was not disproportionate considering inter alia the seriousness of the violation, the financial capacity of Google, the impact of people and the duration of the violation.


Comment

On jurisdiction

This appeal decision provides in paragraph 4-6 an interpretation of the concept of “place of central administration” central to the determination of the competence of a lead supervisory authority in the context of the so called one-stop-shop mechanism.

According to the Conseil d'Etat, the concept of “place of central administration” of the controller means where the “real seat” is located.

In the decision, the Conseil d'Etat considers that Google did not demonstrate that Google Ireland Limited was the real seat of the company in Europe, e.g. Google failed to substantiate that Google Ireland Limited had a power of direction and checking (“direction et contrôle” in French) over other affiliated entities in Europe.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

STATE COUNCIL
ruling
in litigation CR


N° 430810

__________

COMPANY GOOGLE LLC
__________

Session of June 12, 2020
Reading of 19 June 2020
__________

FRENCH REPUBLIC
ON BEHALF OF THE FRENCH PEOPLE

 


The Council of State ruling on contentious cases
(Administrative Jurisdiction Division, 10th and 9th Chambers combined)


On the report of the 10th Chamber
 of the Litigation Section

 

Having regard to the following procedure:

By a summary application, an additional brief, two reply briefs, additional observations and a new brief, filed on 16 May, 1 August and 19 December 2019 and on 11 February, 18 May and 10 June 2020 at the Litigation Secretariat of the Council of State, the company Google LLC asks the Council of State:

1°) to annul deliberation No. SAN-2019-001 of 21 January 2019 by which the restricted section of the Commission nationale de l'informatique et des libertés (CNIL) imposed a financial penalty of 50,000,000 euros on it and decided to make its deliberation public, which will be made anonymous at the end of a period of two years from its publication;
(2) in the alternative, to refer the following questions to the Court of Justice of the European Union for a preliminary ruling and to stay the proceedings pending the Court's reply to those questions:
"1 - Can a controller established in a country outside the European Union with several establishments in the European Union and a designated European seat in the territory of a Member State have a 'principal place of business' within the meaning of Article 4(16) of the PGRD in that Member State if the decisions on the purposes and means of processing are taken in that third country?
2 - Where a controller envisages a processing operation having several purposes and seeks to obtain the data subject's consent under Article 6(1)(a) of the PGRD for all those purposes, do Article 7(2) and Recital 32 of the PGRD require the controller to give the data subject the possibility to detail his consent by purpose from the first level of information, or can the data subject give his consent by a clear and single positive act for all purposes in the first level of information while having access, through a link or by any other means, to the possibility of detailing his consent in a second level of information? ».


She argues that the restricted formation of the CNIL has tainted her deliberation :
of irregularity, given that Google's main establishment in Europe is located in Ireland and that, under the principle of lead authority enshrined in the General Data Protection Regulation (GDPR), it was the Irish regulatory authority that was competent to control its activities in the European Union ;
- for disregarding the principles of legality of offences and penalties and the principle of non bis in idem to have considered itself competent to investigate complaints;
- irregularity in failing to apply correctly the cooperation and consistency procedures laid down in Chapter VII of the GDMPR;
- irregularity in having followed the procedure provided for by the decree of 20 October 2005 taken for the application of the law of 6 January 1978 relating to information technology, files and liberties, which does not guarantee respect for the rights of the defence and the principle of adversarial proceedings as protected by Article 16 of the Declaration of the Rights of Man and of the Citizen of 1789 and the provisions of Article 6 of the European Convention for the Protection of Human Rights and Fundamental Freedoms, since the time-limits are too short to allow the controller concerned to prepare his defence and no time limit is laid down ;
- error of law in holding that the consent on which Google relies for processing for the purposes of personalising advertising was not validly obtained ;
- error of law in holding that there had been a failure to comply with the obligations of transparency and information as provided for in Articles 12 and 13 of the DPMR;
-in the alternative, an error of law and inadequate statement of reasons for its decision by imposing a disproportionate financial penalty of EUR 50 million without having taken account of all the criteria laid down in Article 83 of the GDMP.

By a statement of defence and three statements in reply, registered on 23 October 2019, and on 15 January, 26 February and 11 June 2020, the CNIL concluded that the application was dismissed. It submits that none of the pleas in law is well founded.

By an intervention and a statement of case, registered on 6 April and 8 June 2020, the Union fédérale des consommateurs - Que choisir (UFC - Federal Union of Consumers - Que choisir) declared intervening in defence.

    
Having regard to the other documents in the case;

Having regard:
- the Constitution, in particular its Preamble;
- the European Convention for the Protection of Human Rights and Fundamental Freedoms;
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016;
- Law No. 78-17 of 6 January 1978;
- Decree No. 2005-1309 of 20 October 2005;
- the judgment of the Court of Justice of the European Union C-673/17 Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband eV v Planet49 GmbH of 1 October 2019;
- the Code of Administrative Justice and Order No 2020 305 of 25 March 2020 as amended;
        

After hearing in open session:

- the report of Mr Réda Wadjinny-Green, auditor   
- the conclusions of Mr Alexandre Lallet, public rapporteur ;

The floor having been given, before and after the conclusions, to CPA Spinosi, Sureau, counsel for Google LLC;

Having regard to the memorandum under advisement, registered on 13 June 2020, submitted by Google LLC;

Considering the following:

1. It results from the investigation that the Commission nationale de l'informatique et des libertés (CNIL) was seized on 25 and 28 May 2018 of two collective complaints filed pursuant to Article 80 of Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, known as the General Regulation on Data Protection (RGPD), formed by the associations None of Your Business and La Quadrature du Net. On the following September 21, the CNIL carried out an online check to verify the compliance of the processing carried out by Google LLC from the personal data of users of the Android operating system with the law of January 6, 1978 relating to computers, files and freedoms and the RGPD. Following this control, the President of the CNIL initiated a sanction procedure. In a decision of 21 January 2019, which Google LLC is seeking to annul, the restricted formation of the CNIL imposed a financial penalty of 50,000,000 euros on the company for breaches of Articles 6, 12 and 13 of the RGPD and decided to make this penalty public for a period of two years from its publication.

On the intervention of the UFC - What to choose :

2. The UFC - Que choisir justifies, having regard to the object and nature of the dispute, a sufficient interest to intervene in the present proceedings in support of the conclusions presented by the Commission nationale de l'informatique et des libertés (CNIL), which tend to reject the application. His intervention is, therefore, admissible.

On the jurisdiction of the CNIL :

3. Article 55 of the RGPD provides that: "Each supervisory authority shall be competent to exercise the tasks and powers conferred on it in accordance with this Regulation on the territory of the Member State to which it belongs", while Article 56 of the Regulation provides that: "1. Without prejudice to Article 55, the supervisory authority of the principal or sole establishment of the controller or processor shall be competent to act as lead supervisory authority regarding cross-border processing carried out by that controller or processor, in accordance with the procedure laid down in Article 60. (…) 6. The lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller". According to Article 4(7) of the Regulation, the concept of "controller" shall mean "a natural or legal person (...) who alone or jointly with others determines the purposes and means of processing (...)", while under Article 4(16) "principal place of business" shall be understood as "(a) in relation to a controller established in several Member States, the place of its central administration in the Union, unless the decisions as to the purposes and means of processing personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to enforce those decisions, in which case the establishment having taken such decisions shall be considered as the principal establishment (...)". Finally, the 36th recital of the Regulation states that: "The principal place of business of a controller in the Union should be determined by objective criteria and should involve the effective and genuine exercise of management activities determining the principal decisions as to the purposes and means of processing within the framework of a stable system (...)".

4. It is clear from the provisions cited in the previous point that where cross-border processing of personal data within the European Union is involved, the supervisory authority of the principal establishment in the Union of the controller is, as lead authority, competent to monitor compliance with the requirements of the DPMR. For the determination of the competent supervisory authority, the central administration of the controller, i.e. the place of its actual seat, shall in principle be regarded as its principal place of business. This is not the case if another establishment of the controller is competent to take decisions on the purposes and means of the processing and has the power to enforce them at Union level. If a controller established outside the European Union carries out cross-border processing within the territory of the Union, but has neither a central administration nor an institution with decision-making powers as to the purposes and means of the processing, the lead authority mechanism provided for in Article 56 of the PGRD cannot be implemented. In such a case, each national supervisory authority is competent to monitor compliance with the PPMR on the territory of its Member State in accordance with Article 55 of the PPMR.

5. Google LLC submits that the CNIL was not competent to initiate the sanction procedure referred to in paragraph 1 and that it was obliged to forward the complaints it had received to the Irish data protection authority, since Google Ireland Limited was to be regarded as its principal place of business within the European Union. It merely stated, inter alia, that its Irish establishment was its "registered office" for its European operations, that it had significant financial and human resources and that it was responsible for "numerous organisational functions" for the whole of Europe, the consistency of which was not specified. It is common ground that the Android operating system was, at the date of the contested decision, exclusively developed and operated by Google LLC, established in the United States and responsible for the processing at issue. First, it does not follow from the instruction that Google Ireland exercised, at that date, a power of direction or control over the other European subsidiaries of Google LLC such as to regard it as a central administration within the meaning of the DPMR. Furthermore, it follows from the investigation that that establishment, which in any event was in any event assigned new responsibilities in relation to the processing carried out by Google in Europe only from 22 January 2019, that is to say, after the date of the contested sanction, did not until that date have any decision-making power as regards the purposes and means of the processing at issue, nor did any of its other European establishments.
 
6. It follows from what has been said in paragraphs 4 and 5 that Google Ireland Limited could not be regarded as the central administration of the controller of the contested processing operations and that Google LLC, which alone determines the purposes and means of the processing operations, did not have, at the date of the contested sanction, a principal place of business within the European Union, within the meaning and for the purposes of the DPMR. Since no lead authority could therefore be designated under the conditions laid down in Article 56 of the RGPD, the CNIL was competent to investigate the complaints of the associations None of Your Business and La Quadrature du Net concerning the processing of the personal data of French users of the Android operating system carried out by Google LLC and to impose the contested sanction on the latter. The recognition of such jurisdiction by the CNIL with regard to data processors of users' data located in France, whose determination conditions do not in any event disregard the principle of legality of offences and penalties, cannot lead to a violation of the principle of non bis in idem.

On the regularity of the procedure :

7. In the first place, the European Data Protection Committee (EDPS) shall deliver an opinion in the cases referred to in Article 64(1) of the PDSR, which do not include penalty procedures, or when a matter is referred to it by a supervisory authority, the chairman of the Committee or the Commission pursuant to the second paragraph of that Article. The Committee may also take binding decisions in the cases referred to in Article 65 of the Regulation, which provides in particular that: "1. With a view to ensuring the correct and consistent application of this Regulation in individual cases, the Committee shall adopt a binding decision in the following cases: (a) where, in the case referred to in Article 60(4), a supervisory authority concerned has raised a relevant and reasoned objection to a draft decision of the lead supervisory authority and the lead supervisory authority has failed to act on the objection or has rejected the objection on the grounds that it is not relevant or reasoned (...) (b) where there are diverging views as to which supervisory authority concerned is competent for the lead institution ; /... (c) where a competent supervisory authority does not seek the opinion of the Committee in the cases referred to in Article 64(1) or does not follow the opinion of the Committee issued under Article 64".

8. The investigation shows that, on 1 June 2018, the CNIL submitted the complaints referred to it to its European counterparts via the European information exchange system with a view to designating a possible lead authority. No European supervisory authority then decided to refer the matter to the European Data Protection Committee, nor did it express an assessment that differed from that of the CNIL regarding the absence of Google LLC's principal place of business in Europe. Furthermore, after that date, the Irish data protection authority publicly stated, by a right of reply exercised on 27 August 2018 in the Irish Times newspaper, that it was not the lead authority for Google LLC since Google LLC's Irish establishment did not have any decision-making power with regard to its data processing operations in Europe. In the absence of any divergent view and since the investigation of the complaint at issue does not fall within the scope of any other case provided for by Articles 64 and 65 of the DPMR, the plea alleging that the failure to refer the matter to the European Data Protection Committee would have vitiated the irregularity procedure can only be dismissed.

9. 9. Secondly, the mechanism provided for in Articles 60 to 62 of the DPMR, which aims at encouraging cooperation between the different European Data Protection Supervisory Authorities and ensuring a consistent application of the Regulation throughout the Union, applies only in the case of designation of a lead authority or joint operations of supervisory authorities. Since the disputed procedure does not fall within either of those two hypotheses, the plea alleging breach by the CNIL of its duty of cooperation and mutual assistance, which in any event cannot be relied on usefully in support of an action brought against a penalty imposed by it, can only be dismissed.

Disregard for the rights of the defence:

10. First, the applicant company maintains that the decree of 20 October 2005 implementing Law No 78-17 of 6 January 1978 on data processing, data files and liberties, under which the contested proceedings were conducted, infringes the rights of the defence and the right to a fair hearing guaranteed by Article 16 of the Declaration of the Rights of Man and of the Citizen of 1789 and, consequently, Article 6 of the European Convention for the Protection of Human Rights and Fundamental Freedoms, on the one hand, that the procedural deadlines it provides for are too short to enable the controller to prepare his defence in a meaningful way and, on the other hand, that no adjustment is made to this deadline, in particular for controllers established abroad.

11. Under article 16 of the 1789 Declaration of the Rights of Man and of the Citizen: "Any society in which the guarantee of rights is not assured, nor the separation of powers determined, has no Constitution". This provision implies, inter alia, that no sanction having the character of a punishment may be inflicted on a person without that person having been given the opportunity to present his observations on the acts of which he is accused. With regard to punitive measures, respect for the general principle of the rights of the defence presupposes that the person concerned should be informed, with sufficient precision and within a reasonable time before the sanction is imposed, of the complaints made against him or her and should have access to the documents on the basis of which the breaches were established, at least when he or she so requests.

12. 12. Article 74 of the Decree of 20 October 2005, then in force, provides that: "When a sanction is likely to be imposed, the chairman of the commission shall appoint a rapporteur who does not belong to the restricted formation and shall inform the controller or processor in question. The rapporteur shall take all necessary steps with the assistance of the commission's departments. The controller or processor may be heard if the rapporteur considers it useful (...)". Under the terms of article 75 of the same decree: "The report provided for by article 47 of the aforementioned Act of 6 January 1978 shall be notified to the controller or the processor by any means enabling the Commission to provide proof of the date of such notification. The controller or the processor shall have a period of one month in which to forward his written comments to the rapporteur and the restricted formation. The notification of the report shall mention this time limit and state that the controller may inspect and copy the documents in the file at the Commission and may be assisted or represented by any counsel of his choice. The rapporteur may reply to the controller or the processor within 15 days of receiving the respondent's comments. The controller or the processor shall have a further 15 days in which to submit written comments, where appropriate. (...) The controller or the processor shall be informed that after the time limits mentioned in the preceding paragraphs have elapsed, unless the closure of the investigation is postponed, the investigation shall be closed and his written comments shall be declared inadmissible by the restricted training. / At any time, the rapporteur may decide to amend his report, in particular in the light of information brought to his attention by the controller or the processor. The procedure laid down in the preceding paragraphs shall then be applied. If the amendment is made after the closure of the investigation, the investigation shall be reopened". Finally, Article 76 of the Decree provides that: "The controller or processor shall be informed of the date of the restricted training session during which the case concerning him/her is registered and of the opportunity to be heard there, himself/herself or his/her representative, by any means making it possible to certify the date of notification. This information must reach him at least one month before the date of the session at which the case is examined. If the case is to be reconsidered or postponed at a later meeting, this minimum period may be reduced to seven days".

13. 13. The effect of these provisions is that the controller who is notified of a report proposing a sanction against him or her has one month in which to send his or her comments to the restricted panel and the rapporteur, followed by a period of 15 days in which to reply to the rapporteur's new comments, if any. At the end of the latter period, the investigation is in principle closed. A date for a hearing is also set, during which the controller may submit oral comments. The controller is informed of this date at least one month before the hearing is held. It also follows from the provisions of Articles 75 and 76 above that the chairman of the restricted panel may, depending on the circumstances of the case, postpone both the date of closure of the investigation and the date of the hearing in order to allow the controller to prepare his defence. Furthermore, no rule or principle imposes the institution, in the matter of administrative sanction proceedings, of a time limit of distance, applicable to claimants domiciled outside metropolitan France. In those circumstances, the plea of illegality of Articles 75 and 76 of the Decree of 20 October 2005 must be dismissed.

14. Secondly, it is submitted that, in the present case, the procedure followed disregarded the rights of the defence, since Google was not put in a position to put forward its observations in a meaningful way. It follows from the investigation that the applicant company was first given a period of one month in which to respond to the rapporteur's report. It then had a second period of one month in which to respond to the rapporteur's reply, the chairman of the restricted panel having granted it an extension of 15 days, so that the investigation was not closed until two months and 15 days after the submission of the report. If, on two occasions in the course of the procedure, the applicant company requested the organisation of a hearing, first with the Commission and then with the rapporteur, on the basis of Article 74 of the Decree of 20 October 2005, and those requests were rejected on 11 October and 13 November 2018, it follows from the investigation that the session of the restricted training, initially scheduled for 10 January 2019, was postponed, at the applicant's request, until 15 January and that the applicant was able to submit oral observations. In those circumstances, the company was able to prepare and present its defence in a useful manner. The plea alleging infringement of the rights of the defence must therefore be dismissed, without the fact that most of the documents in the proceedings were in French and that no prior formal notice was given having any bearing on that point.

The failure to comply with the obligations to provide information and transparency:

15. Article 12(1) of the GDMPR provides that: "The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and to make any communication pursuant to Articles 15 to 22 and Article 34 regarding the processing operation to the data subject in a concise, transparent, comprehensible and easily accessible manner and in clear and simple terms, in particular any information specifically intended for a child. Information shall be provided in writing or by other means, including, where appropriate, by electronic means (...)". Article 13 of the same Regulation specifies the information that must be provided to users. It is clear from these provisions that the information provided to users must enable them to determine in advance the scope and consequences of the processing operation in order to avoid being taken unawares as to how their personal data are intended to be used. While the requirements of conciseness, intelligibility, clarity and simplicity of the information laid down in the DPMR justify that the information should not be excessively detailed in order not to discourage the user from reading it, all relevant elements relating to the different purposes and scope of the processing should be easily accessible to the user.

16. Google LLC submits that the architecture it has chosen aims to inform users in a clear and intelligible manner using a multi-layered approach, in accordance with the recommendations of the European Data Protection Committee. The first level, consisting of the "Privacy Policy and Terms of Use" sets out the scope and main purposes of the processing, while several hyperlinks - "terms of use"; "privacy policy"; "more options"; "rules"; "learn more" - allow users to access more comprehensive information. Finally, and after creating an account, other tools are available to users to manage their privacy settings, such as the "privacy check-up" and the "dashboard" tool.

17. 17. Firstly, the first level of information offered to users appears excessively general in view of the extent of the processing carried out by the company, the degree of intrusion into privacy that it involves and the volume and nature of the data collected.

18. Secondly, it follows from the instruction that essential information relating to certain processing operations is accessible only as a result of numerous actions, or is accessible only via hypertext links which are themselves difficult to access. In order to obtain all the relevant information relating to the personalised processing of advertisements, a user must first perform three actions from the first level of information, before returning to the initial document and performing two new actions, i.e. a total of five actions, while six actions are necessary to obtain exhaustive information on geolocation. The information on the data retention period, which must be provided under a) of 2° of article 13 of the RGPD, is only accessible through a hypertext link available on the sixty-eighth page of the "Confidentiality rules" document.

19. Thirdly and finally, the information transmitted is itself sometimes incomplete or insufficiently precise, including in the final levels of information. It follows from the instruction that the document on data retention published by Google states that certain data may be kept "for long periods for specific reasons", without indicating either the purposes or the data concerned.

20. 20. In those circumstances, the tree structure chosen by Google appears likely, by the dispersal of the information which it organises, to affect the accessibility and clarity of that information for users, even though the processing in question is particularly intrusive in view of the number and nature of the data collected. It follows that the restricted formation of the CNIL, which did not, contrary to what is claimed, require exhaustive information to be provided from the first level of information, was rightly in breach of the obligations of information and transparency laid down by Articles 12 and 13 of the abovementioned RGPD. Moreover, the CNIL's restricted panel was not required to indicate what measures would be taken to meet the requirements of the RGPD.

On breaches of the rules on consent for processing for the purposes of personalising advertising :

21. First, Article 6 of the DPMR provides that: "Processing is lawful only if and insofar as at least one of the following conditions is met: / a) the data subject has consented to the processing of his or her personal data for one or more specific purposes". Article 4(11) of the Regulation states that consent shall be "any freely given specific, specific, informed and unambiguous indication of his or her wishes by which the data subject signifies his or her agreement, by a declaration or a clear positive act, to personal data relating to him or her being processed". Where the processing is based on consent, the controller shall be able to demonstrate that the data subject has given his or her consent to the processing of personal data relating to him or her / 2 If the data subject's consent is given in the context of a written statement which also relates to other matters, the request for consent shall be in a form which clearly distinguishes it from those other matters, in a form which is comprehensible and easily accessible, and in plain and simple language (...)". It follows from these provisions as interpreted by the Court of Justice of the European Union in its judgment C-673/17 of 1 October 2019 that free, specific, informed and unambiguous consent can only be an express consent of the user, given in full knowledge of the facts and after adequate information on the use that will be made of his personal data. A consent given by means of a box ticked by default does not imply an active behaviour on the part of the user and cannot therefore be considered as a clear positive act validly allowing the collection of the consent. Furthermore, a consent given in the context of the overall acceptance of general terms and conditions of use of a service is not specific in the sense of the GDPSR. Finally, regardless of the manner in which it is collected, consent is valid only if it is preceded by a clear and distinct presentation of all the purposes pursued by the processing operation.

22. It follows from the instruction that, for the creation of a Google account necessary for the use of the Android operating system, the user is first presented with the 'Privacy Policy and Terms of Use' which briefly and very generally informs him of the nature of the data processed and the purposes of the processing carried out by Google. The user can then click on a "more options" link or tick the boxes "I accept the Google terms of use" and "I agree that my information will be used as described above and detailed in the Privacy Policy" to create his or her account. If the user clicks on the "more options" link, a page will prompt the user to set up their account. Under the personalization of ads, a pre-ticked box, which he can uncheck, indicates that he agrees to display personalized ads. More information can be obtained by clicking on a "learn more" link, which specifies how to display personalized ads, but this information is not exhaustive. However, if the user does not choose to click on the "more options" link on the first page presented to them, a "simple confirmation" window will appear, reminding the user that the account is configured to include personalization features "such as recommendations and personalized ads". This page tells the user how to change these settings. The user can then return to the "more options" page or definitively confirm the creation of their account.

23. 23. If the architecture described in the previous point means that the user is always invited to indicate that he agrees to have his information processed in accordance with the default settings of his account, i.e. including functions for personalizing ads, the information available to him for this purpose is general and diluted in the middle of purposes that do not necessarily require consent as a legal basis, both at the first level of information and in the window entitled "simple confirmation". It thus appears that the information on the scope of the processing operation for "advertising targeting" purposes provided at the first level is, in the light of the clarity and accessibility requirements recalled above, insufficient. In the absence of sufficient prior information, the consent collected in a global manner for all purposes, including this one, cannot be regarded as informed nor, consequently and in any case, as valid. If additional information on the advertising targeting purpose is provided at the second level (by clicking on "More options") and a specific consent for this purpose is then collected, it appears that this information is itself insufficient in view of the scope of the processing. Finally, consent is collected by means of a pre-checked box. In these circumstances, the CNIL's restricted panel rightly considered that the methods of collecting consent do not meet the requirements of the RGPD, which require a clear positive act, without the alleged circumstance that the regulation does not require separate collection of consent for the purpose of advertising targeting having any bearing on this point. Moreover, contrary to what is submitted, the restricted panel was not required to define precisely the obligations on the applicant company with regard to consent, which flow directly from the GDPR.

24. 24. Secondly, if the applicant company submits that the CNIL interpreted the requirement of consent inconsistently with its previous positions, it cannot usefully rely on the fact that the arrangements for obtaining consent described in paragraph 22 were in accordance with the CNIL's recommendations set out in Deliberation No 2013-378 of 5 December 2013 on cookies, which was based on Directive 95/46, which was no longer in force on the date of the contested sanction, nor invoke Deliberation No 2019-093 of 4 July 2019, which allows operators, as regards cookies and tracers, an adaptation period of six months during which the Commission announced that the continuation of navigation as an expression of consent would not result in the activation of its enforcement power. Nor can the applicant usefully rely on the fact that 'explicit' consent is required to authorise the processing of 'sensitive' data referred to in Article 9 of the GDMPR in order to infer that such consent would not be necessary for data not referred to in that Article, since Article 4 of the Regulation defines consent in the same way regardless of the nature of the data concerned.

On the grounds for the penalty imposed by the CNIL :
 
25. On the one hand, Article 83(2) of the RGPD provides that: "Depending on the specific characteristics of each case, administrative fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j). In deciding whether an administrative fine should be imposed and in deciding the amount of the administrative fine, due account shall be taken, in each individual case, of the following elements: / (a) the nature, seriousness and duration of the breach, taking into account the nature, scope or purpose of the processing operation concerned, as well as the number of data subjects affected and the level of damage suffered by them; / (b) whether the breach was committed intentionally or through negligence; / (c) any measures taken by the controller or the processor to mitigate the damage suffered by the data subjects ; / (d) the degree of responsibility of the controller or processor, taking into account the technical and organisational measures they have implemented pursuant to Articles 25 and 32; / (e) any relevant breach previously committed by the controller or processor; / (f) the degree of cooperation established with the supervisory authority with a view to remedying the breach and mitigating any negative effects thereof ; / (g) the categories of personal data concerned by the breach; (h) the manner in which the supervisory authority became aware of the breach, in particular whether and to what extent the controller or processor notified the breach; (i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned for the same purpose, compliance with those measures; / (j) the application of codes of conduct approved pursuant to Article 40 or certification schemes approved pursuant to Article 42; and (k) any other aggravating or mitigating circumstances applicable to the circumstances of the case, such as the financial benefits obtained or losses avoided, directly or indirectly, as a result of the breach".

26. 26. On the other hand, article L. 211-2 of the Code on relations between the public and the administration provides that "reasons must be given for decisions which : (...) 2° Inflict a penalty", while under the terms of Article L. 211-5 of the same code: "The reasons required by this chapter must be in writing and include a statement of the legal and factual considerations which form the basis of the decision". It follows from these provisions that, in the event that the legality of an administrative decision is based on the taking into account of a certain number of considerations, compliance with the requirement to state reasons that they provide for leads its author to have to state only those on which the decision he has taken is based. Moreover, it does not follow from any provision that the restricted training of the Commission nationale de l'informatique et des libertés should include an explanation of the amount of the penalties which it imposes. It follows from that that the pleas in law alleging that insufficient reasons were given for the contested decision, which was not required to state all the criteria laid down in Article 83 of the abovementioned RGPD or to indicate the figures relating to the method of determining the amount of the penalty imposed and the error in law which that inadequate statement of reasons reveals, must be rejected.

On the amount of the penalty imposed :

27. It follows from the foregoing that, having regard to the particular seriousness of the infringements committed, which is due to the nature of the requirements infringed and their effects on users, the continuous nature of those infringements and the length of the period during which they continued, the ceilings laid down by Article 83(4) of the GDR, and the financial situation of the company, the financial penalty of EUR 50 000 000 imposed on Google is not disproportionate.

28. 28. It follows from all the above, without the need to refer questions to the Court of Justice of the European Union for a preliminary ruling, that Google LLC's application must be dismissed.


D E C I D E :
----------

Article 1: The intervention of the PDU - What to choose is allowed.

Article 2: The request of the company Google LLC is rejected.

Article 3: This decision will be notified to the company Google LLC and to the Commission Nationale de l'Informatique et des Libertés.