France Fines Google €50M for Alleged GDPR ViolationsPublications - Client Alert | January 22, 2019
On January 21, 2019, Frances National Data Protection Commission (CNIL) announced a 50M fine against Google under Europes General Data Protection Regulation (GDPR). CNILs press release and Deliberation No. SAN-2019-001 provide crucial insights into the first major fine imposed under the new data protection regulation since it went into effect in 2018.
This enforcement action is also the first test for the outer limits of GDPRs one-stop-shop mechanism. In general, the supervisory authority of the country in which a controller or processor is established (that entitys lead supervisory authority) is charged to enforce GDPR against that entity and coordinate enforcement among any other concerned supervisory authorities. An exception provides that a supervisory authority in another country may address alleged violations by that entity if (a) the subject matter relates only to an establishment in its Member State or substantially affects data subjects only in its Member State and (b) the lead supervisory authority declines to handle the case after being properly notified. GDPR provides a procedure for coordination among those multiple supervisory authorities, but specifies that the lead supervisory authority shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor.
This enforcement action is the first fine issued by a supervisory authority that seeks to take advantage of the 4% of annual turnover upper limit allowed under GDPR. CNIL argued in the Deliberation that the fine was appropriate because Article 6, which defines the acceptable lawful bases for processing, is central to GDPR as a whole, and because transparency and disclosure requirements are among those punishable by the greatest fines under Article 83(5). This fine may not pose an existential threat to one of the worlds largest companies, but it could easily do so for smaller organizations engaged in similar processing and disclosure practices.
Finally, this enforcement action validates Max Schrems None Of Your Business (NOYB) advocacy group and its sister entity, La Quadrature du Net, as non-profit associations competent to act on behalf of their member data subjects under Article 80 of GDPR. The alleged violations were brought to CNILs attention in complaints filed by these two groups immediately after GDPR came into force on May 25 and 28 of 2018. The Deliberation sets out the entire proceeding in fuller detail, including the various reports, comments, and replies from CNIL to Google and vice versa. Companies that engage in similar processing, especially those that rely upon consent as their lawful basis for doing so, should closely monitor those groups and their other complaints in order to stay ahead of enforcement activities by supervisory authorities in France and other European countries.
Kutak Rock's Privacy and Data Security Practice Group regularly advises U.S. and multinational clients with respect to GDPR compliance and enforcement. The Practice Group has closely monitored all major guidance and enforcement activity since well before GDPRs effective date, and stands ready to assist clients that wish to improve their risk posture with respect to this expansive regulation.
Please contact a member of our Privacy and Data Security Practice Group listed below.