On 21 January 2019, the French data protection authority (the "CNIL") fined Google LLC ("Google") 50 million under GDPR. The CNIL issued the fine having found that Google breached certain transparency and lawful processing obligations. This is the largest fine that has been issued since GDPR came into force. Google has indicated its intention to lodge an appeal.
We analyse the CNIL's decision, taking a look at how the CNIL found that it had jurisdiction and explaining the potential flaws in the CNIL's conclusions.
In a follow-up post, we will consider the CNIL's decision regarding transparency and consent.
Main Establishment and OSS
Where an organisation processes personal data on a cross-border basis, it can leverage the one-stop-shop ("OSS") mechanism. Under OSS, if an organisation has a "main establishment" in an EU member state, it can benefit from regulation through a single, lead regulator in that member state. A main establishment is defined under GDPR as a company's "place of central administration" in the EU, unless decisions on the purposes and means of processing are taken in another EU establishment, which also has the power to implement those decisions. If an entity providing a pan-EU service lacks a main establishment, it is potentially subject to the jurisdiction of multiple EU data protection authorities.
Google claimed that the CNIL did not have jurisdiction, arguing that the complaints should be handled by Google's lead regulator, the Irish Data Protection Commission. Google asserted that its Irish affiliate, Google Ireland Limited ("Google Ireland"), was Google's main establishment in the EU, as it was Google's place of central administration in the Union. In this respect, Google pointed to the fact that its Irish operations had acted as its European headquarters since 2003 and employs more than 3,600 people across a number of EMEA-wide...