Perhaps the most commonplace GDPR soundbite concerns swingeing financial penalties: in the most serious cases, up to €20m or 4% of global annual turnover, whichever is the greater. We have now had our first flexing of that maximal muscle, in the form of the decision of the French supervisory authority, the CNIL, to impose a €50m penalty on Google. The CNIL’s decision, announced yesterday, is summarised here. (The penalty notice itself is not yet available in English).
Notable features of the case include the following:
- The size of the penalty, obviously. Given Google’s size and influence, there is perhaps little surprise that CNIL went big. Most companies are not like Google, so this decision may not provide us with much insight into more run-of-the-mill cases. It is too early to draw any reliable conclusions about the general approach to GDPR fines by EU regulators, or to form any impression of the extent to which their approaches are harmonised. Perhaps there will be an appeal against the CNIL decision; if so, the ensuing litigation may generate some concrete insights.
- The issuer: the penalty was against Google LLC, whose EU HQ is in Ireland. Hang on, you might say: isn’t there supposed to a be a ‘one-stop-shop’ regulatory mechanism under the GDPR, whereby each multi-jurisdictional controller is generally answerable only to its lead supervisory authority (here, the Irish DPC)? So, if there was to be a penalty, surely it should have come from the Irish DPC? Generally, that is how things would work. Crucially, however, the CNIL found that the overarching decisions about the processing operations complained of (primarily targeted advertising of Android users) were not made by Google’s Irish establishment, or by any one EU office. Those decisions were ultimately made by the US company. Therefore, as this case was not about a controller’s main EU establishment, the GDPR’s one-stop-shop mechanism was not invoked, and the CNIL was at liberty to act. Interestingly, this conclusion was reached following dialogue with other EU supervisory authorities, including the Irish DPC.
- The complainants: these were representative complaints, i.e. they were Article 80(2) of the GDPR in action. One of the complainants here was Max Schrems’ organisation NOYB (None of your business). The other was also a non-profit organisation, La Quadrature du Net, acting on the mandate of 10,000 data subjects. Both sprung into action quickly, with complaints being filed with the CNIL on the day the GDPR came into force.
- The issues: as regards Android users’ exposure to targeted advertising, the CNIL found that Google failed to (a), provide users with adequate transparency information, and (b) secure valid user consent. According to the CNIL, too much was expected of users in terms of finding the essential information they needed to understand how their data would be used. The information was spread across various documents and links, some of it was insufficiently clear and details of retention periods were lacking for some information. These alleged deficiencies in turn meant that the consent relied upon by Google was not ‘informed’, and the user’s journey when creating an account did not involve ‘unambiguous’ consent. Transparency and consent are of course pivotal data protection issues in many contexts, and they have been given sharper teeth and additional nuance under the GDPR.
- The subject matter: the broad subject matter of this case is the use of personal data for the purposes of targeted advertising. This is of course a big issue under the GDPR: targeted advertising is nigh-on ubiquitous and fundamental to many businesses, but has also tended to generate concerns about data protection and privacy issues. The CNIL’s penalty against Google is very unlikely to be the last word on this subject.
I’ll refrain from commentary and analysis just now, and confine this post simply to highlighting those key points based on what we know so far.
On the subject of GDPR penalties issued by EU regulators, see also this article from last week in Handelsblatt about activity in Germany. In short, 41 penalties so far, the highest being €80,000 (with thanks to the Twitter feed of Hogan Lovells’ Eduardo Ustaran for that snapshot).
Robin Hopkins @hopkinsrobin