France’s Supervisory Authority (CNIL) has fined Google $56.8 millions Euros for what the data protection watchdog believes is a violation by the multinational tech company on EU’s General Data Protection Regulation (GDPR).
How did it start?
After receiving complaints based on ‘forced consent’ by Google from La quadrature du Net, a French digital rights advocacy group, and None of Your Business, a nonprofit organization led by Max Schrems (known for previous campaigns against Facebook for privacy violation), the CNIL started its investigation.
For what reasons?
On the basis of its investigation, the CNIL established two types of breaches of the GDPR by Google that occur when new Android users set up a new phone and follow Android’s onboarding process.
They claim that Google is making its data collection policies too difficult to access and that the company failed to obtain specific user consent.
The CNIL notes two specific reasons, later covered in this document:
This decision by the CNIL shows insight into how it was permitted to issue the fine despite Google’s European HQ being located in Dublin.
The GDPR establishes a “one-stop shop” mechanism, providing that, as a main rule, organizations carrying out cross-border personal data processing activities will only have to deal with one lead supervisory authority (the DPA of that Member State) in the future. Cross-border processing can be further understood through Article 4(23) of the GDPR.
The benefit of the one-stop shop mechanism is that controllers and processors will be able to collaborate with one DPA so that other “concerned DPAs” can also be involved when the processing in question affects individuals in their State.
Cross-border processing applies to Google and so Google’s challenge is to find its lead supervisory authority. Article 56(1) establishes that the Supervisory Authority for the main establishmentof the controller (controller = organization, just to keep it simple) will serve as the Lead Supervisory Authority.
The main establishment is further defined in Article 4(16) as:
“the place of central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;”
The word “unless” is key in identifying the Lead SA for Google, or the lack of. Google’s headquarters is in Ireland, so naturally one would think it constitutes as the “place of central administration in the Union.” Wrong. The CNIL concluded that the EU Google HQ does not have the final say when it comes to data processing during the creation of new users on the Android OS (Who does? Most likely Google’s HQ in California but decidedly not in Ireland). This means that the Google Ireland HQ cannot be considered as a main establishment within the meaning of Article 4(16).
So, the issue remains in the hands of the French authority. Interesting. The CNIL is effectively considered the competent Supervisory Authority to flex its newfound power given under the GDPR.
For those still reading on, here is a breakdown of the reasons the CNIL lists in its sanction of Google.