Google Fined €50 Million for GDPR Violations: What Does This Mean and What to Expect Next?

January 29 11:34 2019 Print This Article

France’s Supervisory Authority (CNIL) has fined Google $56.8 millions Euros for what the data protection watchdog believes is a violation by the multinational tech company on EU’s General Data Protection Regulation (GDPR).

How Did it Start?
After receiving complaints based on “forced consent” by Google from La quadrature du Net, a French digital rights advocacy group, and None of Your Business, a nonprofit organization led by Max Schrems (known for previous campaigns against Facebook for privacy violation), the CNIL started its investigation.

On the basis of its investigation, the CNIL established two types of breaches of the GDPR by Google that occur when new Android users set up a new phone and follow Android’s on-boarding process.

They claim that Google is making its data collection policies too difficult to access and that the company failed to obtain specific user consent.

The CNIL notes two specific reasons, later covered in this document:

A violation of the obligations of transparency and information.
A violation of the obligation to have a legal basis for ads personalization.
Policy Implications:
This decision by the CNIL shows insight into how it was permitted to issue the fine despite Google’s European HQ being located in Dublin.

The GDPR establishes a “one-stop shop” mechanism, providing that, as a main rule, organizations carrying out cross-border personal data processing activities will only have to deal with one lead supervisory authority (the DPA of that Member State) in the future. Cross-border processing can be further understood through Article 4(23) of the GDPR.

The benefit of the one-stop shop mechanism is that controllers and processors will be able to collaborate with one DPA so that other “concerned DPAs” can also be involved when the processing in question affects individuals in their State.

Cross-border processing applies to Google and so Google’s challenge is to find its lead supervisory authority. Article 56(1) establishes that the Supervisory Authority for the main establishment of the controller (controller = organization, just to keep it simple) will serve as the Lead Supervisory Authority.

The main establishment is further defined in Article 4(16) as, “the place of central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;”

The word “unless” is key in identifying the Lead SA for Google, or the lack of. Google’s headquarters is in Ireland, so naturally one would think it constitutes as the “place of central administration in the Union.” Wrong. The CNIL concluded that the EU Google HQ does not have the final say when it comes to data processing during the creation of new users on the Android OS (Who does? Most likely Google’s HQ in California but decidedly not in Ireland). This means that the Google Ireland HQ cannot be considered as a main establishment within the meaning of Article 4(16).

So, the issue remains in the hands of the French authority. Interesting. The CNIL is effectively considered the competent Supervisory Authority to flex its newfound power given under the GDPR.

Parting Thoughts:
The CNIL noted that the violations are “continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.” As of now, the CNIL is the supervisory authority responsible for the matter; other SA’s across EU will not be able to issue fines for the same infractions. However, I would not be surprised if SA’s across EU are examining Google’s operations under a now heavily magnified GDPR lens.

As this is the largest fine issued under the GDPR, all Member States of the EU would be wise to pay close attention and be eager to exercise their powers. Google (and many other companies) would be even wiser to take a closer look than before on how the GDPR impacts their data processing and act quickly. NYOB has already taken aim at top tech firms including Apple and Amazon under the GDPR. Now that the CNIL has acted on Google, expect more regarding other tech firms.

Of course, Google will likely appeal the fine which will provide more insight onto the situation and how clever Google’s lawyer can get in excusing Google’s actions. The $58.6 million fine is likely not a concern to Google. The real concern to Google is the changes it will be forced to make.

The original article was posted here:

  Article "tagged" as:
view more articles

About Article Author

GDPR Associates
GDPR Associates

View More Articles
write a comment


No Comments Yet!

You can be the one to start a conversation.

Add a Comment