On May 25th, 2018 the General Data Protection Regulation (GDPR) entered into force. From that date forth, companies were required to comply with the text in order to best protect citizens’ personal data within the European Union.
In France, it is the French Data Protection Authority (CNIL) which monitors the compliance of companies with the Regulation and imposes appropriate sanctions. In fact, some major Web players have already been sanctioned by the Commission for the processing of individuals’ personal data.
On the initiative of thousands of people, the interest groups “La Quadrature du Net” (LQDN) and “None of Your Business” (NOYB) launched a complaint against Google LLC through the CNIL. On 21st of January 2019, CNIL fined Google 50 million euros after multiple violations of the recently approved General Data Protection Regulation (GDPR).
Hailed as a victory for privacy law advocates against Google’s lack of transparency and use of personal data without the well-informed consent of users, the decision sets a few precedents for cases concerning data and privacy laws that may be applicable to businesses with ties to the European market.
CNIL found that Google had violated Article 12 of the GDPR, which provided that information be transparent and easily accessible to users. This in turn violated the General Data Protection Regulation’s principle ensuring transparency because data users where unaware of the inherent scope and consequences of their personal data, and how it was being utilized by Google.
With the fragmentation of Privacy Terms and General Conditions scattered throughout several documents, forcing users to piece together information and perform several actions on their own, CNIL found that Article 12 and 13 were not being respected properly by Google.
While actions led against Google raise concerns about future transatlantic relations between the US and EU, the impact concerns only American and other IT businesses that have been negligent with users’ personal data. The case sets new standards and practices for businesses to respect when dealing with personal information and ensuring its confidentiality.
Particularly with future General Agreements, consent will no longer be considered valid unless the contracts themselves are clear and legible for users to understand the basic information concerning data processing and what are its implications to a user’s personal data.
Google LLC argued that CNIL was not competent to handle complaints filed against Google Europe, seeing as Google Europe’s principal place of business is located in Ireland, and should have therefore been left to the competencies of the Data Protection Commission in Dublin.
Considering Article 4 (16) and 36 of the GDPR’s definition for a “principal place of business”, Google argued that its office in Dublin carried the principal administrative, financial, and data processing functions to be considered the principal place of business in Europe.
However, it was demonstrated that these functions were not enough to make it the final decision-making place of business that was required to fit the definition, as these were shared functions. In fact, the principal place of business of Google was considered to be in the United States, as business decisions were still being relayed from the United States to Ireland.
Seeing as there was an absence of a principal place of business in Europe and in accordance with Articles 55 and 56 of the GDPR, CNIL was proven to be fully competent. Furthermore, the Data Protection Commission in Dublin had affirmed on August 27th, 2018 that it was incompetent to make a decision on the case.
This is the first time that the CNIL has imposed such a significant financial sanction on the processing of personal data, which is why this solution will make it possible to accelerate compliance with the GDPR.
In the event that these companies do not comply with the GDPR, high penalties could be imposed by the Commissions responsible for monitoring compliance with the processing of personal data on European territory, in order to protect users and in particular to ensure that their personal data are respected.
Aleks García Fernández