France’s supreme court for administrative matters, the Council of State (Conseil d’Etat), has upheld the €50 million fine imposed on Google LLC by the French data protection authority, the Commission Nationale Informatique et Libertés (the “CNIL”), for breaches of the General Data Protection Regulation (the “GDPR”). Google LLC is the California-based, Delaware-incorporated entity that serves as the main Google operating company.
The fine arose from complaints lodged by privacy advocates La Quadrature du Net and None Of Your Business (NOYB). The advocates contended that Google LLC improperly forced users of its Android operating system to agree to its privacy policy and terms and conditions of use. The complaints also alleged that Google lacked a valid legal basis for processing customers’ personal data for the purposes of behavior analysis and targeted advertising. These complaints went to the heart of key Google business practices regarding disclosure of, and consent to, how the company collects and uses personal data.
Last year, the CNIL fined Google €50 million for breaches of the GDPR (see our previous update). This remains the highest fine actually issued under the GDPR or by a European data protection authority (“DPA”). (The UK Information Commissioner’s Office has stated an intention to impose fines on Marriott and British Airways that would be larger but are still not confirmed; see our previous updates on the proposed fines for Marriott and British Airways.) In its decision, the CNIL noted Google’s size and dominant market position to justify the amount of the fine. Google appealed to the Council of State.
The Council of State has now upheld the CNIL’s conclusions across the board:
- On the merits, the Court agreed with the CNIL that Google LLC’s business practices violated the GDPR. In particular, the Court upheld the CNIL’s finding that Google had failed to adhere to the GDPR’s requirements for transparency and obtaining valid consent in the processing of personal data.
- Crucially, the Court also confirmed that the CNIL’s jurisdiction extended to the regulation of Google LLC in France. Google LLC had argued that Google Ireland Limited constituted Google LLC’s main presence in the EU, such that under the “one-stop shop” mechanism provided for by the GDPR, the Irish DPA was the sole regulator with jurisdiction. The Court ruled that the “one-stop shop” mechanism did not apply as Google LLC retained full control and decision-making power over EU-based data processing operations. Google Ireland Limited had not appointed a data protection officer and was not referred to as a controller of the relevant personal data in privacy notices.
- The Court also found the size of the fine to be proportionate in light of the severity and ongoing nature of the GDPR violations and Google LLC’s profitable financial position.
What next?
It appears that the Council of State’s decision is the end of the road in terms of Google’s ability to challenge the fine. The Council of State is the highest administrative court in France and so there is no prospect of further domestic review of the fine in France. In addition, the Court also refused Google’s request for a reference for a preliminary ruling by the European Court of Justice on the issue of the jurisdiction of Member States’ DPAs and the scope of valid consent.
This may explain the tone of Google LLC’s statement on this issue: “People expect to understand and control how their data is used, and we’ve invested in industry-leading tools that help them do both. This case was not about whether consent is needed for personalised advertising, but about how exactly it should be obtained. In light of this decision, we will now review what changes we need to make.”
It remains to be seen whether other EU DPAs will take this decision as encouragement in handing down stricter decisions and higher fines.
The decision is a reminder to companies that they may face enforcement actions in any EU or EEA country where they do business – not just in the country whose DPA the company deems to be its lead supervisory authority – if it does not have a “main establishment” in the EEA from a GDPR perspective. The decision is also a reminder that GDPR was meant to reach beyond EU borders, in this case to impose a substantial fine on a US-based entity.
The Google case has turned largely on the proposition that the relevant business practices, though carried out in France, were dictated from the United States by Google LLC. Companies may wish to consider whether increasing the autonomy of their EU affiliates regarding the processing of personal data is, all things considered, a feasible and desirable means of reducing GDPR enforcement risk. Groups wishing to argue that a particular European legal entity is their main establishment for GDPR purposes should ensure that other factors are consistent with that argument, such as the contents of privacy notices and organizational structure.
To subscribe to the Data Blog, please click here.
