- The Conseil d’Etat confirmed the CNIL fine against Google of June 19, 2020 (originally Jan. 21, 2019, EUR 50 million).
- Google LLC was not considered to be the main establishment in the EU; the Irish branch had no decision-making or controlling authority.
- Google’s information obligations were non-transparent; first level of information too generic, consent ineffective due to insufficient information and preselected checkbox.
- The sanction imposed was deemed appropriate; CNIL did not have to disclose the sanction assessment criteria in detail.
France’s highest administrative court, the Conseil d’Etat, has ruled the CNIL fines Google confirmed on June 19, 2020 (January 21, 2019, EUR 50 million).
The Conseil d’Etat first confirms that Google LLC does not have, or did not have at the time, a principal establishment in the EU because the Irish establishment did not have the power to instruct or control Google LLC (principal administration) or to decide on the purposes and means of its data processing operations (Art. 4 No. 16 lit a GDPR).
On the merits, the Conseil d’Etat also considers Google’s information on its data processing to be non-transparent. In particular, the first-level information (first level in the “layered approach”) was too generic. Also, effective consent had not been obtained, due to insufficient information and with a pre-ticked checkbox.
The Conseil d’Etat then considered the sanction to be appropriate. Moreover, the CNIL had not been obliged to specify the criteria for the assessment of the sanction in detail.