CNIL - SAN-2019-001
|CNIL - SAN-2019-001|
|Relevant Law:||Article 4(11) GDPR|
|Parties:||Google LLC Vs. noyb and La Quadrature du Net|
|National Case Number:||SAN-2019-001|
|European Case Law Identifier:||n/a|
|Original Source:||CNIL (in FR)|
The CNIL imposed a record fine of €50 million on Google for several violations of GDPR including processing personal data without a lawful basis, violating the free consent principle and the transparent information principle.
English Summary[edit | edit source]
Facts[edit | edit source]
The NGO la Quadrature du Net (LQDN) filed a complaint with the CNIL about Google's lack of lawful basis to process personal data for targeted advertising purposes.
The CNIL decided to gather the two complaints and decide on them in a single decision, following an extensive investigation.
Google's main arguments were that the complaints are inadmissible and there was a violation of the company's right to a fair trial (art. 6 ECHR), in particular because of the language used (French) and the imparted time to respond.
Dispute[edit | edit source]
Is there a legal basis for the processing?
Is the case admissible? Is the company's right to a fair trial violated?
Holding[edit | edit source]
On the admissibility, the CNIL replied that the admissibility of the complaints would in any case have no influence on the legality of the procedure because the CNIL’s competency is not subject to the receipt of a complaint, the DPA can initiate proceedings ex officio on the basis of its own findings.
On the alleged violation of the defendant's rights to a fair trial, the CNIL rejected both arguments.
On the failure to comply with transparency and information obligations:
In essence, the CNIL acknowledged that Google has made progress in terms of transparency and control given to users over their personal data. It then comes to the notion information accessibility, according to which the data subject must be able to determine in advance which processing operations will be performed. The CNIL notes that Google has scattered the information in several documents, not all of which are directly accessible, and that Google's design choices fragment the information (buttons and links must be clicked to access the relevant information). According to the CNIL, the amount of information to be read before data processing operations can be identified is too large. Finally, the data subject will have to cross-reference the information to understand what processing operations are being carried out.
The CNIL therefore concluded that there is a general lack of accessibility of information; Interestingly, the CNIL also concedes that exhaustive information, from the first level, would be counterproductive and would not respect the requirement of transparency.
The CNIL goes on to point out that the processing operations carried out by Google are "particularly massive and intrusive" and that the data come from many sources.
The information provided to the user must be clear and comprehensible, in accordance with Art. 12 GDPR, and it is in the light of the processing operations carried out that the clear and comprehensible nature must be analysed.
In short, with regard to the information made available by Google, the CNIL considered that:
- the purposes of the processing operations are described in a way that is far too generic given the scope and consequences of the processing operations carried out;
- the description of the purposes does not allow users to measure the extent of the processing and the degree of intrusion into their private sphere;
- the description of the data collected is imprecise and incomplete.
The lack of clarity and understandability must also be analysed according to the legal basis on which the processing operation is based (in this case: consent). The CNIL states that Google's formulations do not allow the user to distinguish between personalized advertising (carried out using user data, and on the basis of their consent) and other forms of targeting based on legitimate interest.
Finally, the CNIL stresses that Google's efforts with regard to the tools it makes available to users (information pop-up, privacy check-up, dashboard) only partially contribute to the objective of transparency. As the information must be provided at the time the data is collected, the tools in question are only made available once the Google Account has been created, in other words after a multitude of data processing operations have been carried out.
Regarding the lack of a legal basis for the implementation of processing operations:
Google declared that it only relies on consent for processing operations related to targeted advertising, and complies with the GDPR in this respect.
Consent must be specific and unambiguous. The CNIL noted first of all that when creating a Google account, the user has the possibility to modify certain parameters. However, settings related to account customization and display of targeted ads were enabled by default. The CNIL concluded that:
- consent was not validly obtained because it was not given through a positive act but by an opposition to the processing operation (opt-out)
For all these reasons, the CNIL decided to impose a penalty of € 50 million and an additional to have the decision published.
On June 19th 2020, the Supreme Administrative Court (Conseil d'Etat) confirmed fully the CNIL's decision in CE - N° 430810.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the original. Please refer to the French original for more details.