The highest administrative court in France confirms the fine of 50 million euros from Google | Orrick – Trust Anchor


On January 21, 2019, the CNIL (French Data Protection Authority) imposed a fine of 50 million euros on Google under the general data protection regulations (the “GDPR”) for non-communication (1) notice in an easily accessible form, using plain language, when users have set up their Android mobile device and (2) obtain users’ consent to process personal data for the purpose of ad personalization. The CNIL’s action and the resulting fine stem from actions brought by two non-profit associations, None of Your Business and La Quadrature du Net. The fine was the first significant fine imposed by the CNIL in the context of the GDPR and remains one of the highest fines to date. To determine the amount of the fine, the CNIL took into account the fact that the violations linked to the essential principles of the GDPR (transparency and consent), the violations continued, the importance of the Android operating system in France and the fact that the privacy notice presented to users related to a number of processing operations. Google has appealed the decision.

On June 19, 2020, the highest administrative court in France, the Council of State, confirmed the CNIL’s decision and the fine of 50 million euros. The court confirmed that Google had not provided users of Android mobile devices with a sufficiently transparent opinion on the processing of their personal data, nor had it obtained the user’s valid consent to personalize the ad. Regarding transparency, the court noted that Google’s privacy notice did not provide the level of clarity and accessibility required by the GDPR.

The court noted that when a Google user wanted to create an account to use the Android system, the user was asked to accept a general statement including the use of data for the purpose of advertising personalization. The court noted that the information on the personalization of the advertisements was general and mixed with information on various other processing activities. The court therefore determined that the user’s consent to the personalization of the ad did not meet the GDPR requirement that the consent be specific, informative, given freely and unambiguously.

As for the level of the fine, the court declared that the level of the fine was proportionate given the gravity and the continuing nature of the violations. Furthermore and above all, the court affirmed that the CNIL had jurisdiction to regulate Google at the time of the offenses and the fine. Google had argued that the Irish Data Protection Board was its supervisory authority and its “one stop shop” for data protection matters. However, the court determined that at the time of the fine, the Irish subsidiary of Google did not control the decisions relating to the data processing activities of the other Google subsidiaries. The GDPR “single window” was therefore not available to Google at the time and the CNIL was competent. This decision is an important statement that the much-touted single-window GDPR mechanism, which enables businesses to provide an effective forum for EU data protection regulators, must be properly supported by the actual configuration and place of decision of a company to be effective.


Please enter your comment!
Please enter your name here