While CNIL’s recent decision to fine Google is still subject to legal challenge from Google, it is relevant to look into CNIL’s position in this matter, from the perspective of its potential impact on the future positions of other data protection authorities in similar matters and the risks associated with GDPR. The article below relies on publicly available sources and does not aim to draw any conclusions on the merits of the case or make any assessment of the respective factual situation of the matters to which CNIL’s decision refers to, but rather to look into CNIL’s reasoning and outline key aspects for consideration going forward by the market players.
1. Relying on the one stop shop mechanism provided by the GDPR. Or not?
Pursuant to having undergone discussions with the data protection authorities within other Member States (i.e., including the one in Ireland), CNIL is of the opinion that the main establishment of Google cannot be identified as being in one particular Member State. CNIL supported its opinion on its assessment that decisions regarding the purposes and means of processing personal data were allegedly taken within various establishments of Google in different Member States.
Google’s main expectation with respect to the assessment of potential GDPR non-compliances was that such assessment was to be performed by the data protection authority in Ireland, as lead authority corresponding to the main establishment of Google – i.e., from a corporate perspective. However, CNIL comes and contradicts this expectation, stressing out that from a data protection perspective, when determining the main establishment (i.e., and by way of consequence the lead supervisory authority) one must refer to the identification of the place where the purposes and means of processing are determined, if such a place exists at the level of the EU. Moreover, according to CNIL there is no clear proof that the decisions regarding the information notice or the legal grounds for the provision of personalised ads are taken by the entity Google operates in Ireland. Consequently, CNIL assessed that one cannot identify a main establishment for such processing activities, such being performed in many places within the EU, granting investigation competences to all the data protection authorities in the EU.
When this complaint was assessed by CNIL, it was stated by CNIL that Google did not finalise “moving” its main establishment regarding the activities performed in the EU in Ireland, aspect that may have influenced CNIL’s decision if such change would have also involved the transfer of the power to take decisions regarding the purposes and means of processing personal data to the Irish entity.
2. Complying with the transparency principle provided by the GDPR
Having assessed the information available on the relevant Google website, as well as the ones provided by the controller when users using Google IDs and systems initially set up their Android phones, CNIL is of the opinion that the information provided is excessively scattered, fragmented, incomplete and unclear. For example, in order to understand the way in which the ads provided by Google are personalised, one needs to perform 5 or more actions – accessing the general confidentiality policy, the tab “more information”, as well as reading other documents containing confidentiality rules and the corresponding sections regarding personalised services.
As such, the user must continuously question the completeness of the provided information, verifying various sections available on the Google website and the corresponding policies in order to understand the ways in which its personal data is being processed. Moreover, the criticism Google is facing highlights the fact that due to the architecture of the information provision system, the user is inclined to access such information after having set up its account on Android devices, and by way of consequence, after additional data is collected, and not when or before such data are being obtained. Therefore, in CNIL’s view, the expectations of the users regarding the implications and consequences of the data processing activities by Google are low. Moreover, CNIL argued that Google does not provide for retention periods or rules to determine such periods for the personal data that it is processing.
According to CNIL the necessity to provide such information in accordance with the provisions of GDPR is extremely important, especially due to the large quantity of personal data collected (i.e., millions of users), the intrusive character of such data (i.e., including behavioural data) and to the variety of sources used (i.e., starting with data stored on the phone, words searched on Google, videos seen on Youtube or actions performed on the internet pages of third party entities using Google cookies/plug ins).
3. Complying with the consent validity conditions imposed by the GDPR
In this respect, CNIL considers that the consent granted by Google users regarding the personalisation of ads is not informed, expressed via an affirmative action, specific or distinctively provided in relation to the another provisions of the Google terms and conditions.
Taking into account that the consent for ads personalisation is included in the Google terms and conditions, all the above-mentioned observations regarding the information criteria are applicable in this respect. Moreover, such consent is drafted and granted en bloc and in a non-specific manner for all the data processing purposes provided in such terms and conditions, being expressed by way of the same action through which users grant their consent for the set-up of their Google account. Additionally, CNIL’s decision criticises the fact that even though users are granted the possibility to withdraw or change their consent regarding ads personalisation, such possibility is offered only after the account is set up, the consent being considered as automatically granted upon set up.
As such, according to CNIL, even though all the above seem basic errors concerning the processing of personal data, Google has persevered in replicating them from the moment it developed the Google account product.
4. Final issues to be taken into account
Actually, the impact of this decision is a lot greater than the one strictly related to the individuals using Google products (such should not be neglected in the context of the great popularity and large-scale use of such product). This decision may affect third party entities using Google products – such as Google Analytics, Google Ads, Google or Youtube social plug ins. Why? Because controllers using such products generally rely on the information Google is providing to users, and, in certain cases on the grounds identified by Google when acting as controller.
What are the next steps?
Each business should attentively assess the Google products used, with an accent on the specific data collected by way of such products (e.g., from general personal data, to data obtained via cookies), and determine to what extent they may (or not) need to proceed with informing the individuals with respect to such processing activities on their own. Notably, according to publicly available information, Google decided to challenge CNIL’s ruling, so it remains to be seen whether CNIL’s position will be ultimately upheld or not. In addition, additional guidance may appear with respect to the above mentioned aspects, as other EU authorities may focus their attention to the issues presented in the CNIL decisions - the Swedish and the Czech authorities have already announced that they are investigating complaints against Google having as object the information of users and the means of obtaining their consent.
By Silvia Axinescu, Senior Managing Associate, Cristina Iacobescu, Senior Associate Deloitte Legal