CNIL conducted the investigation at breakneck speed and fined Google immediately, even though Google requested that CNIL impose a compliance program instead. CNIL neither completely explained why the fine was imposed so quickly nor did it provide the reasoning for the amount of the fine. Moreover, it explicitly sidestepped the one-stop-shop mechanism that allows multinationals to designate one “lead” authority for Europe to alleviate compliance and enforcement burdens. This has serious implications for multinationals, which should now take immediate steps to prepare themselves for a new era of privacy enforcement and assess their appetite to appeal against enforcement decisions by DPAs in court.
CNIL’s investigation against Google
One-stop-shop mechanism does not apply equally to all multinationals: a potential violation of international trade law commitments
CNIL decided that the one-stop-shop mechanism did not apply in this case. The mechanism is a GDPR novelty and allows multinationals to select one “lead” DPA across Europe. In theory, companies should only have to deal with this “lead authority” in enforcement actions in Europe. The “lead” DPA then has to coordinate with other relevant DPAs across Europe through a consistency mechanism.
Therefore, CNIL held that Google LLC did not have a “main establishment” in the EU, which is used as a benchmark in determining the “lead” DPA. Consequently, CNIL argued that the one-stop-shop principle did not apply. The consequences are serious: disregarding that Google had selected the Irish DPA as the “lead” DPA, CNIL claimed jurisdiction over the case and immediately issued the first multi-million fine under the GDPR.
CNIL’s approach creates differential treatment of companies that make all data processing decisions in the EU and non-EU companies making such decisions outside the EU. This raises the critical question of whether this GDPR interpretation complies with the EU’s international trade commitments under the law of the World Trade Organization (“WTO”). Under Article XVII of the General Agreement on Trade in Services, the EU must grant foreign services and service providers no less favourable treatment than similar domestically-produced services and their providers (national treatment). Personal data processing services are among the sectors to which national treatment applies. CNIL sets a threshold that is almost impossible to satisfy for non-EU companies. Therefore, the risk of a WTO law violation may be more real than it may seem. Focusing solely on the GDPR, European DPA’s seem to overlook the broader relevance of their practices.
The ambiguity around the calculation of the fine
CNIL’s decision is the first where an administrative fine for GDPR violations was calculated based on the undertaking’s worldwide turnover. The notion of “undertaking” has been borrowed from competition law. According to the CJEU, in contrast to a “legal entity”, an “undertaking” means an economic unit, which may be formed by a parent company and all subsidiaries involved.
CNIL does not offer any explanation or methodology for determining the high amount of the administrative fine, EUR 50 million, which seems to have been produced out of thin air.
As we predicted, this decision is only the first step on the long and winding road of determining such methodology. In relation to the choice of a fine as a corrective measure (instead of a binding instruction coupled with a potential sanction), CNIL mentioned that the use of personal data for profiling and Google’s business model were among decisive factors. CNIL also highlighted Google’s prominent position in the market, but did not include competition law concerns in its analysis.
GDPR: enter the enforcement and litigation era
Expected by many, feared by some, CNIL’s decision marks the arrival of GDPR enforcement. Clearly, CNIL had an interest to proceed fast with its investigation, as Google was already preparing to move its main establishment to Ireland. By moving (too?) quickly and boldly, one wonders whether CNIL’s reasoning will hold up in court.
Google has announced it will appeal against the decision. If the trend of bold DPA decision-making continues, a new era of privacy litigation between companies and authorities is upon us. This is not unlike the explosion of litigation around access conditions to telecommunications infrastructure in the 1990s.
Takeaway: “main establishment” requires financial and organisational investments
Before a myriad of regulators knock on their doors, multinationals should move fast: it is imperative to (re)assess which European establishment qualifies as a main establishment, and to identify a “lead” supervisory authority accordingly. This main establishment should be appointed both internally and in external privacy policies. Moreover, the designation of the main establishment should be backed by necessary financial resources and actual decision-making powers. If companies are under the obligation to appoint a DPO, the DPO should be based in the same location. Naturally, it is also important to review the structure and availability of information on personal data uses and related consent request mechanisms.
Companies that do not move quickly on these issues risk an onslaught of investigations across Europe, by DPAs – such as CNIL – that do not shy away from bold enforcement actions.
For further analysis, please read Axel Arnbak’s article in Dutch financial newspaper Het Financieele Dagblad here.