Just several days ago we reported about two opinions of Advocate-General Szpunar in cases involving the French data protection authority - Commission for Information Technology and Civil Liberties (CNIL) and the US digital giant Google. We mentioned that both cases concerned the interpretation of the Data Protection Directive, the predecessor of the currently applicable General Data Protection Regulation. Earlier today the CNIL issued yet another decision, once again directed against Google, this time blazing the trail for the application of new data protection rules.
The decision, imposing a 50 million euro fine on GOOGLE LLC, is bound to raise both substantive and procedural questions. Unlike previous cases, which primarily focused on the right to be forgotten, the decision issued today concerns the alleged "lack of transparency, inadequate information and lack of valid consent regarding the ads personalization". Indeed, the GDPR has further specified the data controllers' transparency obligations, the requirements for a valid consent and the data subjects' information rights and has backed them by effective sanctions. The emerging case practice clearly illustrates the growing importance of data protection law for the protection of consumer interests in the digital age. The GDPR-based complaint filed by several European consumer organizations concerning Google's practices of location tracking, on which we reported last November, further exemplifies this trend.
On the procedural side, the question may arise whether the French DPA was at all competent to deal with the case considering the "one-stop-shop mechanism" introduced by the GDPR. The CNIL seems to argue that the mechanism was not applicable in the present case due to the lack of Google's main establishment in the EU. Considering the growing interests in the company's data processing practices across the European jurisdictions, Google's appeal against this finding would be anything but surprising (update: an appeal has in the meantime been confirmed). Incidentally, in the 'location data' case, the respective complaint had been lodged with the Norwegian DPA, highlighting the relevance of the matter for the whole EEA.
Full text of today's CNIL decision (in French) can be consulted here.