CNIL has fined Google LLC EUR 50 million for transparency violations, insufficient information and lack of consent for advertising personalization. The fine stems from an investigation prompted by complaints filed in late May 2018 by None Of Your Business (“NOYB” by Max Schrems) and the association La Quadrature du Net (“LQDN”) was triggered. Thus, only about half a year passed between the receipt of the complaints and the fine notice, which was probably only possible because the one-stop-shop mechanism does not apply to Google LLC based in the USA, i.e. a third country.
Available documents:
Deficiencies identified in the privacy notices
On the merits, the CNIL criticized Google’s privacy notices for not being “easily accessible” within the meaning of Article 12(1) of the GDPR. The structure of the privacy notices does not allow for legally compliant information because the information about the processing purposes, the storage period or the categories of processed data is scattered across several linked documents. It sometimes takes five to six clicks to view all the information, e.g. if the user wants to know how Google handles geolocation data.
In addition, users are not able to understand the extent of Google’s processing. This processing is particularly massive, and the information about the purposes of processing and data processed per purpose is too general and imprecise. Also, in the case of advertising personalization, it is not sufficiently clear that this is based on the user’s consent and not on a legitimate interest. And finally, the storage period is not specified.
Ineffective consent
Google relied on consent for advertising personalization, but this consent was not effectively given. The consent (i.e. the user) is not sufficiently informed, again because the description of the processing is scattered in different documents, and the consent is also not sufficiently clear (“specifique”) and unambiguous, in particular because the choices are only displayed after a user action when opening a user account and the options are pre-ticked, and because the user can only consent en bloc instead of separately per processing.
Sanction assessment
With reference to the penalty assessment, the CNIL mentions the following circumstances:
- Scope of data processing and linkages and importance of Google’s services for users;
- continued nature of the violations;
- Number of affected users of the Android system, “compte tenu de la place prépondérante qu’occupe le système d’exploitation Android sur le marché français” – here a dominant market position sounds as an aggravating moment.