CNIL has fined Goog­le LLC EUR 50 mil­li­on for trans­pa­ren­cy vio­la­ti­ons, insuf­fi­ci­ent infor­ma­ti­on and lack of con­sent for adver­ti­sing per­so­na­lizati­on. The fine stems from an inve­sti­ga­ti­on prompt­ed by com­plaints filed in late May 2018 by None Of Your Busi­ness (“NOYB” by Max Schrems) and the asso­cia­ti­on La Qua­dra­tu­re du Net (“LQDN”) was trig­ge­red. Thus, only about half a year pas­sed bet­ween the rece­ipt of the com­plaints and the fine noti­ce, which was pro­ba­b­ly only pos­si­ble becau­se the one-stop-shop mecha­nism does not app­ly to Goog­le LLC based in the USA, i.e. a third country.

Available docu­ments:

• CNIL media release
• CNIL decis­i­on of 21 Janu­ary 2019

Defi­ci­en­ci­es iden­ti­fi­ed in the pri­va­cy notices

On the merits, the CNIL cri­ti­ci­zed Google’s pri­va­cy noti­ces for not being “easi­ly acce­s­si­ble” within the mea­ning of Artic­le 12(1) of the GDPR. The struc­tu­re of the pri­va­cy noti­ces does not allow for legal­ly com­pli­ant infor­ma­ti­on becau­se the infor­ma­ti­on about the pro­ce­s­sing pur­po­ses, the sto­rage peri­od or the cate­go­ries of pro­ce­s­sed data is scat­te­red across seve­ral lin­ked docu­ments. It some­ti­mes takes five to six clicks to view all the infor­ma­ti­on, e.g. if the user wants to know how Goog­le hand­les geo­lo­ca­ti­on data.

In addi­ti­on, users are not able to under­stand the ext­ent of Google’s pro­ce­s­sing. This pro­ce­s­sing is par­ti­cu­lar­ly mas­si­ve, and the infor­ma­ti­on about the pur­po­ses of pro­ce­s­sing and data pro­ce­s­sed per pur­po­se is too gene­ral and impre­cise. Also, in the case of adver­ti­sing per­so­na­lizati­on, it is not suf­fi­ci­ent­ly clear that this is based on the user’s con­sent and not on a legi­ti­ma­te inte­rest. And final­ly, the sto­rage peri­od is not specified.

Inef­fec­ti­ve consent

Goog­le reli­ed on con­sent for adver­ti­sing per­so­na­lizati­on, but this con­sent was not effec­tively given. The con­sent (i.e. the user) is not suf­fi­ci­ent­ly infor­med, again becau­se the descrip­ti­on of the pro­ce­s­sing is scat­te­red in dif­fe­rent docu­ments, and the con­sent is also not suf­fi­ci­ent­ly clear (“spe­ci­fi­que”) and unam­bi­guous, in par­ti­cu­lar becau­se the choices are only dis­play­ed after a user action when ope­ning a user account and the opti­ons are pre-ticked, and becau­se the user can only con­sent en bloc instead of sepa­ra­te­ly per processing.

Sanc­tion assessment

With refe­rence to the penal­ty assess­ment, the CNIL men­ti­ons the fol­lo­wing circumstances:

• Scope of data pro­ce­s­sing and lin­k­ages and importance of Google’s ser­vices for users;
• con­tin­ued natu­re of the violations;
• Num­ber of affec­ted users of the Android system, “comp­te tenu de la place prépon­dé­ran­te qu’oc­cupe le système d’ex­plo­ita­ti­on Android sur le mar­ché fran­çais” – here a domi­nant mar­ket posi­ti­on sounds as an aggravating moment.