Lessons From Google's €50m GDPR Fine: Part I

Author:Mr Philip Nolan
Profession:Mason Hayes & Curran

On 21 January 2019, the French data protection authority (the "CNIL") fined Google LLC ("Google") €50 million under GDPR. The CNIL issued the fine having found that Google breached certain transparency and lawful processing obligations. This is the largest fine that has been issued since GDPR came into force. Google has indicated its intention to lodge an appeal.

We analyse the CNIL's decision, taking a look at how the CNIL found that it had jurisdiction and explaining the potential flaws in the CNIL's conclusions.

In a follow-up post, we will consider the CNIL's decision regarding transparency and consent.


This decision stemmed from complaints issued in May 2018 by privacy activist groups, None of Your Business ("NOYB") and La Quadrature du Net Association ("LQDN"). Specifically, NOYB alleged that users of Android phones were unable to use their devices without first accepting Google's Privacy Policy and Terms of Service. LQDN complained that Google did not have a valid legal basis to process personal data for targeted advertising. The CNIL began an investigation into these complaints, ultimately leading to the highest regulatory fine levied under GDPR to date.

Main Establishment and OSS

Where an organisation processes personal data on a cross-border basis, it can leverage the one-stop-shop ("OSS") mechanism. Under OSS, if an organisation has a "main establishment" in an EU member state, it can benefit from regulation through a single, lead regulator in that member state. A main establishment is defined under GDPR as a company's "place of central administration" in the EU, unless decisions on the purposes and means of processing are taken in another EU establishment, which also has the power to implement those decisions. If an entity providing a pan-EU service lacks a main establishment, it is potentially subject to the jurisdiction of multiple EU data protection authorities.

Google's Arguments

Google claimed that the CNIL did not have jurisdiction, arguing that the complaints should be handled by Google's lead regulator, the Irish Data Protection Commission. Google asserted that its Irish affiliate, Google Ireland Limited ("Google Ireland"), was Google's main establishment in the EU, as it was Google's place of central administration in the Union. In this respect, Google pointed to the fact that its Irish operations had acted as its European headquarters since 2003 and employs more than 3,600 people across a number of EMEA-wide...

To continue reading