CNIL fine against Goog­le confirmed

France’s hig­hest admi­ni­stra­ti­ve court, the Con­seil d’E­tat, has ruled the CNIL fines Goog­le con­firm­ed on June 19, 2020 (Janu­ary 21, 2019, EUR 50 million).

The Con­seil d’E­tat first con­firms that Goog­le LLC does not have, or did not have at the time, a prin­ci­pal estab­lish­ment in the EU becau­se the Irish estab­lish­ment did not have the power to ins­truct or con­trol Goog­le LLC (prin­ci­pal admi­ni­stra­ti­on) or to deci­de on the pur­po­ses and means of its data pro­ce­s­sing ope­ra­ti­ons (Art. 4 No. 16 lit a GDPR).

On the merits, the Con­seil d’E­tat also con­siders Google’s infor­ma­ti­on on its data pro­ce­s­sing to be non-trans­pa­rent. In par­ti­cu­lar, the first-level infor­ma­ti­on (first level in the “laye­red approach”) was too gene­ric. Also, effec­ti­ve con­sent had not been obtai­ned, due to insuf­fi­ci­ent infor­ma­ti­on and with a pre-ticked checkbox.

The Con­seil d’E­tat then con­side­red the sanc­tion to be appro­pria­te. Moreo­ver, the CNIL had not been obli­ged to spe­ci­fy the cri­te­ria for the assess­ment of the sanc­tion in detail.