User:Sloths2/sandbox

General Data Protection Regulation (GDPR) - Imposed Fines
The General Data Protection Regulation (GDPR), an EU law, protects user privacy and data. In addition to its substantive law outlining how privacy must be protected, the GDPR requires that every EU Member State has a data protection authority that can enforce the law's measures. These data protection authorities, referred to as "supervisory authorities" in the text of the GDPR, "protect the fundamental rights and freedoms of natural persons in relation to processing and [facilitate] the free flow of personal data within the Union." These national data protection authorities must have independence, including: functional independence, independence form conflicts of interest, personnel and management independence, organizational and technical independence, and financial independence.

French CNIL Fines Google
At the end of May 2018, in the initial days of the GDPR's implementation, None of Your Business and La Quadrature du Net filed group complaints with the Commission nationale de l'informatique et des libertés (CNIL) alleging that Google was in violation of the GDPR. In September 2018 the CNIL performed online inspections of Googles systems. The CNIL focused on the experience of a user creating a google account during the configuration of an Android device. On January 21, 2019, the CNIL fined Google 50 million euros for violations of the GDPR.

Legal Authority
The CNIL is France's data protection authority. As such, the CNIL oversees the enforcement of French laws protecting personal data and provides guidance on French privacy law interpretation. On June 20, 2018, the French government enacted Act No. 2018-493 on Personal Data Protection in order to incorporate the GDPR into French law. Instead of creating a new law, this act amended the French Data Protection Act No. 78-17 of January 6, 1978, France's original law on data protection. However, this Personal Data Protection amendment only brings the French Data Protection Act into partial compliance with the GDPR. The inconsistency means that both the French Data Protection Act and the GDPR apply in France, with the GDPR prevailing in cases of conflict.

The GDPR has a "one-stop-shop" mechanism. Under the GDPR, organizations conducting cross border data processing can have a "main establishment" in the EU. The supervisory authority for the country in which an organization's main establishment is located then becomes the organization's lead supervisory authority. If another Member State has concerns about the organization's data processing, then the Member State can alert the lead supervisory authority for that organization or investigate locally in conjunction with the lead supervisory authority. On June 1, 2018, the CNIL sent the complaints it had received from None of Your Business and La Quadrature du Net to the other members of the European Union. Discussions with the other countries' data protection authorities established that, despite having a European headquarters in Ireland, Google did not have a main establishment per the GDPR and therefore did not have a lead supervisory authority. Without a lead supervisory authority, Google could not invoke the "one-stop-shop" mechanism and the CNIL had authority to investigate the complaints.

Violations
CNIL's restricted committee found two types of violations: (a) lack of transparency and (b) lack of proper consent for data processing in ad personalization. First, as to lack of transparency, the CNIL found Google's user privacy information failed to be easily accessible, clear, and comprehensive. Google did not make appropriately clear the extent of their integrated services and the extent of personal data being used, from Google Maps to YouTube. Other issues included vague language regarding the purpose of using the data, lack of clarification of the legal basis underlying the data processing, and missing retention periods for some of the data. Moreover, the CNIL disapproved of how Google communicated the information. Instead of one main document, Google had users navigate through the information using links. To understand ad personalization a user had to take five click actions, and to understand geolocation a user had to take six click actions.

Second, as to lack of proper consent, the CNIL did not deem Google's collection of user consent to be adequate. The user could not give informed consent because of the deficiencies in transparency listed above. Furthermore, the CNIL did not approve of Google's tick box system to gather user consent. When creating a Google account with a new android device, a user scrolls through a summary of Google's data processing procedures. If the user clicks on "more options", he/she can opt-in or opt-out of particular tracking activities. If the user does not click down into "more options," then they are just asked to consent to all the processing Google does. CNIL took issue with this blanket permission and with the fact that Google had pre-ticked the ads personalization box within the "more options" page.

The Fine
The maximum penalty under the GDPR is four percent of global revenue. If fined at the maximum level, Google would owe more than four billion dollars. In a public statement, the CNIL described a number of factors that contributed to determining the fine amount:


 * the severity of the infringements regarding "essential principles of the GDPR: transparency, information and consent"
 * the users don't have guarantees regarding processing operations that can "reveal important parts of [a user's] private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations"
 * the violations are continuous breaches
 * the large number of Android devices in the French market and the number of French people who create a new Google account via an Android device
 * the economic model of the company is partly based on ads personalization

The CNIL fined Google 50 million euros for violations of the GDPR.

Responses
In a statement to the Washington Post, Google said: "People expect high standards of transparency and control from us. We're deeply committed to meeting those expectations and the consent requirements of the GDPR." Google will appeal the decision. Per a company spokesperson, google is "concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond."

La Quadrature du Net, one of the organizations who filed the initial complaints with the CNIL, described the fine as "very low in comparison to Google's annual turnover."