On 21 January 2019, the French data protection authority (the "CNIL") fined Google LLC ("Google") €50 million under GDPR. The CNIL issued the fine having found that Google breached certain transparency and lawful processing obligations. This is the largest fine that has been issued since GDPR came into force. Google has indicated its intention to lodge an appeal.
We analyse the CNIL's decision, taking a look at how the CNIL found that it had jurisdiction and explaining the potential flaws in the CNIL's conclusions.
In a follow-up post, we will consider the CNIL's decision regarding transparency and consent.
Main Establishment and OSS
Where an organisation processes personal data on a cross-border basis, it can leverage the one-stop-shop ("OSS") mechanism. Under OSS, if an organisation has a "main establishment" in an EU member state, it can benefit from regulation through a single, lead regulator in that member state. A main establishment is defined under GDPR as a company's "place of central administration" in the EU, unless decisions on the purposes and means of processing are taken in another EU establishment, which also has the power to implement those decisions. If an entity providing a pan-EU service lacks a main establishment, it is potentially subject to the jurisdiction of multiple EU data protection authorities.
Google claimed that the CNIL did not have jurisdiction, arguing that the complaints should be handled by Google's lead regulator, the Irish Data Protection Commission. Google asserted that its Irish affiliate, Google Ireland Limited ("Google Ireland"), was Google's main establishment in the EU, as it was Google's place of central administration in the Union. In this respect, Google pointed to the fact that its Irish operations had acted as its European headquarters since 2003 and employs more than 3,600 people across a number of EMEA-wide functions, including finance and tax. Further, Google Ireland was the entity that sold Google advertising (ie Google's AdWords and AdSense products). The CNIL, however, rejected this position.
Certain aspects of the CNIL's decision around main establishment can be called into question.
1. Requirement for decision-making
Where a controller has multiple establishments in the EU, then, by default, that controller's place of central administration is its main establishment. This is clearly set out in the definition at Article 4(16)(a) GDPR. However, if another EU establishment makes, and implements, decisions on the processing of personal data, that establishment will displace the place of central administration as the "main" establishment.
Despite this, the CNIL appears to take the position that the place of central administration must have decision making power over data. In other words, if the central administration does not have decision-making power, then it cannot be the main establishment. The upshot of this appears to be that there can be no main establishment where neither the central administration nor another EU establishment have such powers. In particular, the CNIL argued the idea that main establishment cannot automatically correspond to the head office. It drew on regulatory guidelines issued by the Article 29 Working Party ("Guidelines"), which state that:
"[t]he approach implied in the GDPR is that the central administration in the EU is the place where decisions about the purposes and means of the processing of personal data are taken and this place has the power to have such decisions implemented."
However, the Guidelines also clearly recognise that an EU headquarters constitutes the place of central administration. Furthermore, the CNIL's approach arguably misinterprets Recital 36, which is intended to flesh out how to determine the main establishment. Interestingly, the role of Recital 36 is actually highlighted in the Guidelines, which state that the Recital "is useful in clarifying the main factor that shall be used to determine a controller's main establishment if the criterion of the central administration does not apply." (emphasis added) In other words, questions regarding the location of data protection control should only come into play where decision-making powers are exercised in an EU establishment other than in the place of central administration.
Therefore, so long as the controller has a place of central administration in the EU, and this is not supplanted by another EU establishment having decision-making power, then arguably the default should stand. On a straightforward application of the statutory tests in the GDPR, by default, the place of central administration is the main establishment, whether or not it exercises decision-making powers.
2. Ignoring Complexities of Establishment
One of Google's other arguments was that the CNIL's approach did not make a distinction between the controller and the main establishment (ie between Google and Google Ireland). This is a tricky issue.
The notion of an 'establishment' is a complex one. CJEU case law recognised that a legal entity established under member state law and operating in the Union can operate as an "establishment" of a foreign controller (see, in particular, the Google Spain case, where Google's Spanish marketing subsidiary was found to be an establishment of Google Inc.).
The CNIL's approach fails to acknowledge that a non-EU controller can have a main establishment through an EU headquarters operated by a different legal entity.
3. GDPR Policy Objectives
Lastly, the CNIL's interpretation ignores the fact that one of the GDPR's key aims is to harmonise and streamline the regulation of data protection in the EU.
OSS is a central tenet of GDPR, aiming to ensure coordinated and consistent regulation through lead regulators. Provided that a controller – whether primarily located in the EU, US or otherwise – has, at the very least, a place of central administration in the EU, it should benefit from OSS. The concept of main establishment should be applied in a way that enables the OSS, rather than hampering it.
In order to leverage OSS, an organisation involved in cross-border processing should clearly identify and document its main establishment and the reasons supporting this decision. This, in turn, should inform where formal supervisory authority filings, such as the notification of the appointment of a DPO, are to be made.
In particular, given the prevailing regulatory views, that organisation should ensure it can demonstrate that decision-making abilities and powers regarding the processing of personal data, including implementation, are exercised from the relevant establishment. If such powers are exercised elsewhere, particularly outside the EU, the main establishment may be bolstered by it having the ability to implement those decisions and assuming liability for the processing. It seems that, absent it having decision-making powers, merely pointing to a central administration in the EU may not suffice, despite what a literal interpretation of the key GDPR Articles suggest.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.