SHARE
COPY LINK

GOOGLE

Why France hit Google with a whopping €50 million fine

Here's what France's data protection watchdog CNIL had to say about why it hit Google with an unprecedented and eye-watering €50 million fine.

Why France hit Google with a whopping €50 million fine
Photo: AFP

France's data watchdog (CNIL) announced Monday a fine of 50 million euros ($57 million) for US web search giant Google, using the EU's strict General Data Protection Regulation for the first time.

Below is the full text from CNIL explaining why it took action against the internet giant.

****

On 25 and 28 May 2018, the National Data Protection Commission (CNIL) received group complaints from the associations None Of Your Business (“NOYB”) and La Quadrature du Net(“LQDN”). LQDN was mandated by 10 000 people to refer the matter to the CNIL. In the two complaints, the associations reproach Google for not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalization purposes.

The handling of the complaints by the CNIL

The CNIL immediately started investigating the complaints. On 1st June 2018, in accordance with the provisions on European cooperation as defined in the General Data Protection Regulation (“GDPR”), the CNIL sent these two complaints to its European counterparts to assess if it was competent to deal with them. Indeed, the GDPR establishes a “one-stop-shop mechanism” which provides that an organization set up in the European Union shall have only one interlocutor, which is the Data Protection Authority (“DPA”) of the country where its “main establishment” is located. This authority serves as “lead authority”. It must therefore coordinate the cooperation between the other Data Protection Authorities before taking any decision about a cross-border processing carried out by the company.

In this case, the discussions with the other authorities, in particular with the Irish DPA, where Google’s European headquarters are situated, did not allow to consider that Google had a main establishment in the European Union. Indeed, when the CNIL initiated proceedings, the Irish establishment did not have a decision-making power on the processing operations carried out in the context of the operating system Android and the services provided by Google LLC, in relation to the creation of an account during the configuration of a mobile phone.

As the “one-stop-shop mechanism” was not applicable, the CNIL was competent to take any decision regarding processing operations carried out by Google LLC, as were the other DPA. The CNIL implemented the new European Framework as interpreted by all European authorities in the European Data Protection Board’s (EDPB) guidelines.

In order to deal with the complaints received, the CNIL carried out online inspections in September 2018. The aim was to verify the compliance of the processing operations implemented by Google with the French Data Protection Act and the GDPR by analysing the browsing pattern of a user and the documents he or she can have access, when creating a Google account during the configuration of a mobile equipment using Android.

The violations observed by the restricted committee

On the basis of the inspections carried out, the CNIL’s restricted committee responsible for examining breaches of the Data Protection Act observed two types of breaches of the GDPR.

France uses new EU data law to fine Google €50 million

A violation of the obligations of transparency and information:

First, the restricted committee notices that the information provided by Google is not easily accessible for users.

Indeed, the general structure of the information chosen by the company does not enable to comply with the Regulation. Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated  across several documents, with buttons and links on which it is required to click to access complementary information. The relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions. For instance, this is the case when a user wants to have a complete information on his or her data collected for the personalization purposes or for the geo-tracking service.

Moreover, the restricted committee observes that some information is not always clear nor comprehensive.

Users are not able to fully understand the extent of the processing operations carried out by Google. But the processing operations are particularly massive and intrusive because of the number of services offered (about twenty), the amount and the nature of the data processed and combined. The restricted committee observes in particular that the purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes. Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company. Finally, the restricted committee notices that the information about the retention period is not provided for some data.

A violation of the obligation to have a legal basis for ads personalization processing:

The company Google states that it obtains the user’s consent to process data for ads personalization purposes. However, the restricted committee considers that the consent is not validly obtained for two reasons.

First, the restricted committee observes that the users’ consent is not sufficiently informed.

The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent. For example, in the section “Ads Personalization”, it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, You tube, Google home, Google maps, Playstore, Google pictures…) and therefore of the amount of data processed and combined.

Then, the restricted committee observes that the collected consent is neither “specific” nor “unambiguous”.

When an account is created, the user can admittedly modify some options associated to the account by clicking on the button « More options », accessible above the button « Create Account ». It is notably possible to configure the display of personalized ads.

That does not mean that the GDPR is respected. Indeed, the user not only has to click on the button “More options” to access the configuration, but the display of the ads personalization is moreover pre-ticked. However, as provided by the GDPR, consent is “unambiguous” only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance). Finally, before creating an account, the user is asked to tick the boxes « I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy» in order to create the account. Therefore, the user gives his or her consent in full, for all the processing operations purposes carried out by Google based on this consent (ads personalization, speech recognition, etc.). However, the GDPR provides that the consent is “specific” only if it is given distinctly for each purpose.

The fine imposed by the restricted committee and its publicity

The CNIL restricted committee publicly imposes a financial penalty of 50 Million euros against Google.

This is the first time that the CNIL applies the new sanction limits provided by the GDPR. The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.

Despite the measures implemented by Google (documentation and configuration tools), the infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations. The restricted committee recalls that the extent of these processing operations in question imposes to enable the users to control their data and therefore to sufficiently inform them and allow them to validly consent.

Moreover, the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.

Finally, taking into account the important place that the operating system Android has on the French market, thousands of French people create, every day, a Google account when using their smartphone. Furthermore, the restricted committee points out that the economic model of the company is partly based on the ads personalization. Therefore, it is of its utmost responsibility to comply with the obligations on the matter.

Please find here the deliberation of the CNIL's restricted commitee.

BUSINESS

Google flags higher ad rates in France and Spain after digital tax

Google has told customers that it will raise the rates for advertisements on its French and Spanish platforms by two percent from May to help offset the impact of a digital tax on profits.

Google flags higher ad rates in France and Spain after digital tax

France has collected the levy since 2019, and Spain since this year, under
pressure from voters to make US tech giants pay a greater share of taxes in
countries where they operate.

The ad rate increase is to “cover a part of the cost of conforming to laws
concerning taxes on digital services in France and Spain,” the internet giant
said in an e-mail seen by AFP.

In France, internet companies with more than 750 million euros ($895
million) in worldwide sales, and 25 million in France, must pay a three
percent tax on their French operations, notably advertising sales and
marketplace operations.

Spain also charges a three-percent tax on some of their businesses.

Jean-Luc Chetrit, head of the Union des Marques, an alliance of major
brands, said Google’s decision would “amputate the investment capacity of
brands at a time when all companies are going through an unprecedented crisis.”

Google did not respond to AFP’s requests for comment, but Karan Bhatia, its head of government affairs, warned in February that “Taxes on digital services complicate efforts to reach a balanced agreement that works for all countries.”

“We urge these governments to reconsider what are essentially tariffs, or
at least suspend them while negotiations continue,” he said.

Google as well as Apple, Facebook and Amazon – grouped together as “GAFA” – are in the crosshairs of European governments that accuse them of exploiting common market rules to declare all profits in the bloc in low-tax
jurisdictions such as Ireland or Luxembourg.

Critics say they are depriving national tax authorities of millions of euros even as they profit from a surge in online activities because of home-working and social distancing rules during the Covid-19 crisis.

The companies counter that they are being unfairly targeted by discriminatory levies.

Google logo
Google logo. Photo: Eva HAMBACH / AFP

Global deal?

Amazon had already responded to the French tax last October by raising the rates it charges France-based marketplace sellers by three percent.

Apple followed suit by raising the commission it charges developers who
sell apps on its platform not only in France, but also in Italy and Britain.

The French tax move on global digital companies made it a pioneer in the
struggle to find a fair fiscal system for internet multinationals whose tax
bill is often tiny compared to their income.

Contacted by AFP, Facebook said it had no plans to raise prices for ads in
France or Spain for now as it waited for a global accord on fiscal rules.

The French tax brought in 400 million euros to government coffers in 2019,
and the government applied the levy again last year despite pressure from the Trump administration to drop it.

With President Joe Biden in the White House, the Organization for Economic Cooperation and Development (OECD) – which is overseeing negotiations on a digital tax – has said it hopes a G20 finance ministers’ meeting in July will hammer out an agreement on the issue.

Last month, the new US Treasury Secretary, Janet Yellen, said Washington
would no longer insist on a “safe harbour” clause that would effectively make participation in a global tax scheme optional, removing a key sticking point with EU officials.

SHOW COMMENTS