On 21 January 2019, the French Data Protection Authority (CNIL) has issued the first French sanction under the GDPR since the entry into force of the Regulation, namely a pecuniary sanction of EUR 50 million against Google LLC. (decision available here in English).
On 25 and 28 May 2018, the None Of Your Business ("NOYB") and La Quadrature Du Net ("LQDN") associations filed five collective complaints with the CNIL against Facebook, Google, Apple, Amazon and LinkedIn. Among these, two complaints were directly targeting Google.
In accordance with article 80 of the GDPR allowing the data subjects to mandate a not-for-profit body, organization or association to lodge a complaint on their behalf, the two complaints combined together the requests of 9,974 Internet users.
The purpose of these complaints was to point out the unlawful nature of the data processing for behavioral analysis and advertising targeting purposes carried out by Google, showing in particular its lack of valid legal basis.
On 21 September 2018, the CNIL carried out an online control to check compliance with the French Data Protection Act (Loi Informatique et Libertés) and the GDPR of any processing relating to the use of the Android operating system for mobile equipment, including the creation of a Google account (user path and accessible documents).
The investigations carried out by the CNIL revealed two series of breaches, subjects of this historic condemnation:
Failure to comply with transparency and information obligations (Articles 12 and 13 of the GDPR)
According to the CNIL, the accessibility requirement, which is partly based on ergonomic choices, is not met in this case considering that the general architecture of the information chosen by Google requires five to six steps to access the relevant information. Indeed, it specifies that the information provided for in Article 13 of the GDPR is excessively scattered over three documents, accessible in a second stage by means of clickable links.
The CNIL points out that a large amount of information must be consulted to identify the relevant paragraph(s), and that users have to cross-check and compare this information in order to understand which of their data is being collected according to the chosen settings.
The French Authority also noted that some information is not of a "clear" and "understandable" nature. The overly generic description of the purposes with regard to the scope of the processing (particularly massive and intrusive), as well as the imprecise and incomplete description of the personal data collected from extremely varied sources, do not allow the user to assess the extent of the processing carried out by Google, nor the degree of intrusion into private life.
Finally, the CNIL underlines the lack of clarity regarding the distinction between personalized advertising "which [according to the company's statements] is based on consent", and other forms of targeting, using for instance navigation, based on legitimate interest.
Failure to comply with the obligation to have a legal basis for the processing of personalization of advertising (Article 6 of the GDPR)
The CNIL considers that the consent on which Google relies for the processing of personalization of advertising is not validly obtained.
With regard to the informed nature of consent, breaches of transparency and information obligations necessarily have an impact on pre-consent information. Information on advertising personalization processing is not easily accessible (disseminated in separate documents), nor sufficiently clear and understandable (difficult overall understanding of the scope of the different processing operations). With regard to the specific and unambiguous nature of consent, the CNIL points out that the requirement of a clear affirmative action excludes pre-checked boxes by default or inactivity and that a separate consent must be given for each processing operation.
In this case, the CNIL notes that, on the one hand, the display of personalized advertisements is pre-checked by default, and on the other hand, the user is required to accept "en bloc" all the processing operations implemented by Google, including the personalization of advertising or voice recognition. Therefore, consent is not of a specific and unambiguous nature since it is not given by means of a positive act by which the data subject specifically and distinctly consents to the processing of his personal data for the purpose of personalizing advertising.
It is interesting to note that in this case the CNIL does not rule on the validity of consent as a legal basis for the processing of personal data related to targeted advertising, an issue that is currently the subject of many difficulties and operational questions for actors in the sector.
This decision, specifically targeting Google's own practices and structural functioning, does not seem, at this stage, to be considered as having too significant an impact on the sector as a whole.
Eventually, it should be noted that while the CNIL applied for the very first time the new sanction ceilings provided for in the GDPR, now amounting up to 20 million euros or 4% of the world's annual turnover, it is far from having applied the maximum ceiling. Indeed, in 2017, Google LLC. had a turnover of 109.7 billion dollars (approximately 96 billion euros).