Google's EUR50 million GDPR fine was right, says legal opinion for top French court
12 Jun 2020 5:06 pm by Arezki Yaiche
Google's eight-figure fine from French data regulator CNIL for breaching EU privacy rules is proportionate and should be upheld, Alexandre Lallet, a magistrate at the French State Council, told judges at a hearing on 12 June.
The US tech giant appeared today in France's top administrative court to contest the fine of 50 million euros ($56 million) over a lack of transparency to users on how it used their data.
Lallet, whose role as a magistrate is to prepare non-binding recommendations for the judges, recommended that judges reject Google’s request for annulment on the basis that CNIL's sanction under the EU’s General Data Protection Regulation was legal.
The case is being closely watched by companies handling personal information, privacy regulators and advocates, as it's the first major test for enforcers' powers to impose multimillion-dollar fines under the EU's two-year-old GDPR.
"We understand the frustration of the company, which saw all its requests for a settlement rejected by the regulator, but [not taking into account] the alleged aggressiveness of the sanction procedure, it was right to consider there was lack of accessibility to a clear and comprehensive information for [users of Google's Android operating system]," Lallet said.**
Lallet said he was convinced that despite complexity over complying with the tough GDPR rules to obtain users' consent, “the company could have shown more transparency for personal data.” The data-retention period for users that refuse to accept Google's conditions are at times confusing, he added.
In its January 2019 decision, the CNIL fined Google for failing to provide transparent and adequate information to users about its use of their personal data. It also failed to seek "valid legal consent" from users to personalize ads, the watchdog said.
Google challenged the legality of that decision and filed an appeal to France's State Council, which will now deliberate and is expected to deliver a decision later this summer, MLex understands. No timeline was given during the public hearing in Paris today.
Representing Google, Patrice Spinosi told the court today that the US digital giant provided users that wished to create an account with two clear levels of information, which were not meant to mislead them.*
"There are many users ready to accept a global processing of their consent and others who want to go further and get more information," he said. Google provided a GDPR-compliant user consent procedure, he said.
There’s a first menu with a summary of the key privacy rules which can be quickly approved by ticking a box. If the user wants to go further there’s a second menu with a detailed list of functionalities that users can choose to tick or not, he explained.
Judge Reda Wadjinny-Green asked Spinosi about why some users' consent sections were unticked and others not on the second menu.
Information regarding ad customization would have the consent box unticked, while the box for access to users' content history would be ticked, Spinosi replied, to clarify that users weren’t encouraged to receive targeted ads.
Questioned on the data-retention period, however, Google’s lawyer was not able to reply to judges and asked to provide an answer later.
Preliminary ruling request
Spinosi also insisted that the CNIL's reasoning was wrong, invoking the GDPR to argue that the French regulator didn't have the authority to sanction Google.
Spinosi proposed referring the question of whether CNIL went beyond its jurisdiction to the EU Court of Justice — a request that Lallet, in his opinion, recommended be dismissed.
The CNIL didn’t go beyond its jurisdiction by imposing a GDPR fine on a company with no headquarters in France, Lallet said. It was right to act as a “lead data protection authority,” as the EU privacy rules allowed, he added.
The GDPR's "one-stop shop" mechanism for cross-border cases applies here as Google at the relevant time had no clear EU headquarters. The sanction was applied in January 2019 — when the Irish data-protection regulator had been officially designated as the company's "lead" authority for GDPR infringements — but the CNIL investigation started in 2018.
“Google is headquartered in California, it is not registered as a European corporation and its lead subsidiary in Europe, based in Ireland, has no control over subsidiaries in other member states. The Irish representation is a big sister, not the mother,” Lallet said.
Another key issue today was the proportionality of the 50 million-euro sanction, a record fine for the French privacy regulator.
Lallet said that the sanction, in return for a serious infringement, had still represented less than 0.05 percent of Google’s global turnover. Under the GDPR, infringers can be handed fines of up to 4 percent of their annual global turnover, he added.
In March, the US search giant scored a major victory against the CNIL in a separate case where the proportionality of a sanction was questioned by French State Council judges.
In 2016, the CNIL fined Google 100,000 euros for refusing to comply with an injunction to extend its European “right-to-be-forgotten” delisting of search results to all its global domain-name extensions. Judges considered that the regulator went beyond the GDPR's provisions in ordering a global delisting.
**MLex translation from original French
02 Jul 2020 5:00 pm by Neil RolandThe US Federal Reserve Bank of New York’s biggest financial stability worries are possible cyberattacks on the banking system.
26 Jun 2020 5:00 pm by Dave PereraA privacy backlash has led South Carolina to bar its health department from using smartphone contact-tracing apps.
25 Jun 2020 8:00 am by Amy MillerThe first stand-alone privacy enforcement agency in the US could be established in California if voters approve in November.