The Conseil d’État (i.e. The French Supreme Administrative Court) upholds, by a decision of 19 June 2020, the €50 million sanction imposed on Google by a decision of the CNIL of 21 January 2019. The Supreme Court confirms that:
- the CNIL and not the Irish authority had jurisdiction;
- the company did not provide sufficiently clear and transparent information to users of Android (Google’s operating system);
- the company did not put them in a position to give free and informed consent to the processing of their personal data for the purposes of personalising the advertisements; and
- the EUR 50 million penalty is not disproportionate.
The CNIL is competent to sanction Google on the processing of French Android users’ data
Google believed that the Irish data protection authority had sole jurisdiction to control its activities in the European Union, according to a “one-stop-shop” principle established by the GDPR.
However, the French Court considers that Google LLC, which is based in the United States, had sole decision-making power at the time of the sanction and that its Irish subsidiary did not have such decision-making power or control over the other European subsidiaries.
Thus, the one-stop-shop system did not apply and the CNIL had jurisdiction to sanction Google’s failures to comply with the GDPR regarding the processing of French Android users’ data.
Google did not fulfil its obligations of information and transparency
The Conseil d’État confirms the CNIL’s assessment of the information provided to Android users regarding the processing of their data.
It points out that the information is incomplete (e.g. the retention period and some processing purposes are missing) and its layout in a tree structure does not meet the requirements of clarity and accessibility.
The user is not in a position to give freely given and informed consent to the processing of his data for the purposes of personalising advertising.
The Conseil d’État confirms that the information relating to targeted advertising is not presented in a sufficiently clear and distinct manner to collect a valid user’s first level global consent.
Indeed, it notices that when creating a Google account to use the Android :
- the user must agree to have his or her information processed according to a default setting, including advertising customisation features. This information is, at this stage, general and diluted in the middle of information relating to other purposes ;
- the collection of consent is, at this first level, carried out in a global manner for all the purposes pursued by the data processing.
The Supreme Court also considers that the additional information on targeted advertising accessible by clicking on a “more options” link is not sufficient either and the specific consent collected by means of a pre-ticked box does not meet the GDPR requirements as per the CJEU recent decision (C-673/17 Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband eV v Planet49 GmbH of 1 October 2019).
In this regard, in another decision of the same day, the Conseil d’Etat did not censor the CNIL’s approach regarding consent to the deposit of cookies, which may be collected for all purposes insofar as the data subject also has the possibility of accepting or refusing each of the processing purposes separately.
The €50 million sanction is not disproportionate
In view of the particular seriousness of the breaches, their continuous nature and duration, the ceilings provided for in the GDPR and the financial situation of Google LLC, the Conseil d’État considers that the penalty of EUR 50 million imposed by the CNIL is not disproportionate.