On 21 January 2019, the French Data Protection Authority (Commission Nationale Informatique et Liberté - "CNIL") imposed a fine of 50 million on Google for infringing the General Data Protection Regulation 2016/679 (the "GDPR"). As the operator of the Android system, Google was found to have breached various requirements of the GDPR, including providing insufficient information to users and failing to obtain valid consent for the personal advertisements targeting users. CNIL asserted its territorial jurisdiction over Google, arguing that Google could not benefit from the one-stop-shop principle under the GDPR. Given its possible value as a precedent for the enforcement of data protection rules across Europe, the CNIL decision also has its place in a newsletter covering Belgian legal developments.
The CNIL decision follows complaints that had been filed by consumer rights organisations None of Your Business ("NOYB") and La Quadrature du Net ("LQDN") on 25 and 28 May 2018, just after the GDPR had become applicable throughout the EU.
No One-Stop-Shop for Google
Under the GDPR, enforcement of data protection law is left to the national supervisory authorities of the Member States. To avoid multinational organisations established in various EU Member States having to answer to various national supervisory authorities, Article 56 of the GDPR creates a 'one-stop-shop', pursuant to which the supervisory authority of the main establishment acts as "lead supervisory authority" for cross-border processing.
Google has various establishments in Europe, including a French affiliate, Google France SARL. However, Google's European headquarters are located in Ireland, where Google Ireland Limited is established. Google Ireland Limited is the contracting party for all European sales contracts and boasts a much larger workforce than its French affiliate. Google therefore argued that CNIL should transfer the case to the Irish Data Protection Commissioner which would act as the lead supervisory authority.
However, CNIL rejected Google's arguments and held that the European seat of an organisation does not necessarily equate to the "main establishment" which defines the lead supervisory authority under Article 56 of the GDPR. CNIL considered that the Irish establishment did not have real decisional powers and therefore could not be regarded as the main establishment for the matter at hand. Moreover, it noted that Google Ireland Limited had not appointed and...