CNIL v Google. What Google got wrong.

On 21st January, the CNIL (the French ICO) fined Google €50 million for breaches of the GDPR.  The amount of the fine is unlikely to worry Google unduly (it was fined €4.3 billion by the EU Commission in July 2018 for abuse of its dominant position in relation to the Android system.  Google is appealing.) but the fine shows that things are hotting up for companies that use mobile phones as platforms from which to gather and exploit personal data.


How many users were affected in total?  The CNIL’s notice doesn’t say, but a quick calculation suggests that approximately 20 million users were affected, which works out as a fine of €2.5 per affected user – not exactly heavy stuff.


The Google fine was not the CNIL’s first foray into privacy breaches relating to data collected via mobile phones.  It has previously taken action against four French companies that collected (primarily) user location data.  The last of these, Vectaury (see previous post here, had been ordered to destroy its database of 67 million records on the basis that the consents obtained were not valid and therefore the data was not properly obtained.  Why the CNIL did not also take the same action against Google is unclear.  A possible reason is that the GDPR breaches the CNIL was aware of (the CNIL’s investigation was carried out largely online) related to an Android operating system that was used by only 7% of Android users, and it would have been difficult to separate this 7% from the remaining 93%.


So, what did Google get wrong?  The CNIL started from the position that Google was a huge user of very detailed personal data [massifs et intrusifs is the phrase used by the CNIL) – a position that no-one was likely to argue with.  If you are collecting this amount of personal data to this amount of granularity (and the CNIL made the point that Google have over 20 different services collecting personal data, and a virtually unlimited ability to combine this data) then, according to the CNIL, you are under an obligation to make sure that you are really upfront and clear about how you are planning to use the data you collect: there will be little tolerance for error.  Equally, you have to make sure you are rigorous in your compliance with the GDPR’s obligations.

Against this background, the CNIL found the following failures:


  • It was hard for users to find out how their data was going to be used. The CNIL gave a number of examples where a user would have to click 5 or 6 hyperlinks before it could find the relevant information.  from the user’s perspective, the information was not provided in a clear and easy to access manner. On the contrary, it was fragmented and hard to navigate.


  • Some of the Google uses were described in vague marketing-speak: again, it was difficult for an ordinary user to understand what the data was really going to be used for.


  • There were some basic GDPR failures. For example, some uses (which required consent) were pre-ticked and, for some types of data neither a specific retention period, nor criteria on which the retention period would be decided, were set out (ie.  a breach of Article 13.


  • Some parts of the privacy documentation referred to the lawful basis as being consent, others parts referred to the lawful basis as being legitimate interest. Google had subsequently confirmed to the CNIL that it was all intended be based on consent.


  • Given that consent was the basis, valid consent could not be given by user. The poor quality of the documentation meant that the consent was, by definition, not informed.


  • The nature of consent as a lawful basis meant that it had to be specific to the purpose the data was going to be used for, and therefore each purpose required its own dedicated consents (ie. if there are 10 purposes, then 10 consents are required). Google had obtained the consents en bloc: therefore, by definition, they were not specific and therefore not valid.


On the facts, none of the CNIL’s conclusions are particularly surprising.  Whether a disclosure is clear or not clear to an average user is something which, failing any objective evidence, is always likely to be subjective.  However, it is noteworthy that Google did not put forward any evidence showing that it had tested its approach with user groups ie. it was unable to present any objective evidence to rebut the CNIL’s subjective assessment.


How had Google got itself into such a mess?  This was not discussed by the CNIL, but there are two likely reasons.  The first possible reason is that, given the runaway success of the Android operating system, Google lost sight of the wood from the trees.  What had started off as simple and clear had, after a number of patches, adjustments and improvements, turned into something that was fragmented and confusing.  The fact that the Android system is run out of the US, not the EU, probably did not help things either.


The second possible reason is that Google relied too much on the fact that those users with Google accounts also had access to a number of settings and parameters which allowed them to control how their personal data would be used.  That approach was fallacious because a) not all Android users would open a Google account, and b) the mere fact that Google had made this control functionality available (and the CNIL went out of its way to praise the Google tools, as well as the progress Google had made it making privacy more central) was not enough to cure, and legally could not cure, the failings that occurred right at the beginning when the user was onboarded.


The CNIL’s notice is about 30 pages long.  Of those 30 pages, only about 20 cover the issues set out above.  The first 10 pages consist of Google trying to find legal arguments to escape the clutches of the CNIL and arguing that the right body to regulate Google was the Irish DPC or the EDPB – frankly, please, anyone else other than the CNIL!  Google Ireland was not the main establishment, and therefore the Irish DPC not the lead authority, because Google Ireland had no decision-making authority in relation to the Android system (as the CNIL points out, Google Ireland didn’t even have a DPO).  The controller in relation to data collected by the Android system was Google LLC, the US company: there being no main establishment for Android in the EU, the CNIL was free to proceed against Google LLC.


Those first 10 pages are an amusing read (for those that like that kind of thing) as Google twists and turns but is slowly reeled in by the CNIL, and there’s a particular point where amusing becomes high farce when Google argues that the fact the CNIL’s documents were provided only in French is (together with some other factors) a breach of Article 6 of the European Convention of Human Rights (right to fair trial).  Not exactly a huge vote of confidence in Google Translate, and doubly ironic because the argument is brought by one of the largest companies in the world sitting on a cash pile ($103bn in March 18) that makes the CNIL’s yearly budget look miniscule, and brought against the country that (more or less) invented human rights.