{"id":1845,"date":"2019-01-31T14:06:29","date_gmt":"2019-01-31T14:06:29","guid":{"rendered":"https:\/\/www.calligo.io\/data-privacy-news-two-lessons-from-cnil-fining-google-under-gdpr\/"},"modified":"2024-01-18T14:44:23","modified_gmt":"2024-01-18T14:44:23","slug":"data-privacy-news-two-lessons-from-cnil-fining-google-under-gdpr","status":"publish","type":"post","link":"https:\/\/www.calligo.io\/insights\/glossary\/data-privacy-news-two-lessons-from-cnil-fining-google-under-gdpr\/","title":{"rendered":"Data Privacy News: Two lessons from CNIL fining Google under GDPR"},"content":{"rendered":"\n<p>Last week, CNIL, the French data protection agency, handed Google the largest ever GDPR penalty (\u20ac50m) for its lack of transparency in how it collected and used personal data for personalised advertising.<\/p>\n\n\n\n<p>This is of course a landmark case in the implementation of GDPR. Importantly, it also shows that despite fears pre-May 2018, European DPAs will not be perturbed by the legal resources that some of the biggest companies in the world have at their disposal \u2013 despite the entirely predictable appeal that Google lodged almost immediately.<\/p>\n\n\n\n<p>But the case also raised two interesting points for privacy professionals: a debate over bias in which cases are pursued by DPAs, and how the \u201cone stop shop mechanism\u201d is applied in practice.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Is there bias in which cases DPAs pursue?<\/strong><\/li>\n<\/ol>\n\n\n\n<p>Within many of the CNIL-Google media reports, there were accusations that CNIL showed nationalist bias in punishing US-based Google, while not displaying the same zeal in pursuing French or European organisations for similar offences. Others added that this case was a classic example of many European DPAs\u2019 \u201canti-big\u201d bias \u2013 a tendency to go \u201cheadline hunting\u201d and target the biggest brands in order to demonstrate a dedication to protecting data subjects.<\/p>\n\n\n\n<p>But these accusations miss the point.<\/p>\n\n\n\n<p>If there is a conscious \u201canti-big\u201d bias in data privacy (which would be no surprise given wider geo-political trends), then that bias sits predominantly with the data subjects, not the data protection authorities.<br>A DPA will rarely begin a case of its own volition. Faced with limited proactive investigative resource, DPAs are alerted to potential foul play by receiving complaints from data subjects, and on examination of their merits and the seriousness of the offence(s), may initiate proceedings.<\/p>\n\n\n\n<p>Perhaps unsurprisingly, since GDPR\u2019s go live, almost every European DPA has reported large numbers of data subjects objecting to the ways in which the likes of Google and Facebook have collected and used their data. These high numbers of complaints will be an unavoidable effect of being some of the largest companies in the world \u2013 as any missteps will impact more people \u2013 but also a function of the underlying but growing \u201canti-big\u201d popular sentiment and mistrust of large enterprise.<\/p>\n\n\n\n<p>Clearly any DPA in such a situation will feel compelled to prioritise the cases attracting the greatest outcry \u2013 especially in the face of inevitable media attention, and regardless of the data subjects\u2019 possible bias or of the nationality of the alleged offending company.<\/p>\n\n\n\n<p>Secondly, this particular case was originally brought by two lobbyists: La Quadrature du Net (LQDN), who acted on behalf of more than 10,000 data subjects, and NOYB, a very powerful privacy pressure group that is headed by no less than Max Schrems, who made his name in privacy by bringing a case against Facebook that led to the invalidation of Safe Harbour. No DPA could realistically deprioritise a genuine case brought to them by these two bodies, especially when supported by hundreds of additional individual data subjects.<\/p>\n\n\n\n<p>So to answer the question above, yes there could well be a trend in how DPAs pursue some cases over others. But the bias actually sits mainly with the data subjects \u2013 and those bodies that represent them en masse \u2013 and their apparent own eagerness to retaliate against \u201cbig\u201d.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>2. The \u201cone stop shop mechanism\u201d in practice<\/strong><\/p>\n\n\n\n<p>This is a question of which DPA leads actions brought against companies. The \u201cone stop shop mechanism\u201d within the GDPR dictates that where an organization has entities in multiple EU countries, the DPA of the country where the organization\u2019s \u201cmain presence\u201d is located shall lead the proceedings.<\/p>\n\n\n\n<p>The role of \u201cleading proceedings\u201d means being the sole authority that the organization needs to deal with and respond to, while also requiring the chosen DPA to collaborate with the DPAs of other affected countries before making any decisions.<\/p>\n\n\n\n<p>There was a fear that this might lead to \u201cDPA shopping\u201d, as organizations who suspected actions may be brought against them could theoretically move their main presence to a country whose DPA is more lenient or less proactive.<\/p>\n\n\n\n<p>However, this case has shown that this \u2013 fortunately \u2013 will not work. It was deemed that despite any theoretical role in Google\u2019s organizational structure, Google\u2019s EU HQ in Ireland could not be considered the European data controller as it did not have decision-making powers over how data is processed. Being a controller is a prerequisite for the \u201cone stop shop\u201d rule to apply, and in the absence of a central European controller anywhere else, all of Google\u2019s European entities were deemed to be data processors, making all European DPAs, including CNIL, equally free to bring actions.<\/p>\n\n\n\n<p>This goes back to the main theme of&nbsp;<a href=\"https:\/\/calligo.cloud\/resources\/data-privacy\/data-privacy-news-uber\/\">our blog a couple of weeks ago about the Uber decisions<\/a>, and how DPAs will determine organizational liabilities based on actions, not titles \u2013 a theme we will no doubt see again and again and that companies need to be aware of.<\/p>\n\n\n\n<p>But despite Google and Uber both being fined in the last couple of months, don\u2019t fall into the trap of believing that DPAs are only interested in targeting the largest companies. We are seeing plenty of actions being brought against smaller companies whose actions have affected large numbers of data subjects.<\/p>\n\n\n\n<p>In fact, this mistake is one of the falsehoods of GDPR that we uncovered in our popular download,&nbsp;<a href=\"https:\/\/calligo.cloud\/resources\/ebook\/gdpr-myths\/\" target=\"_blank\" rel=\"noreferrer noopener\">the 10 Myths and Fairy Tales of GDPR<\/a>.<\/p>\n\n\n\n<p>We offer a range of privacy services \u2013&nbsp;&nbsp;<a href=\"https:\/\/calligo.cloud\/services\/data-privacy-services\/\">\u2018privacy-first\u2019 data management consultancy<\/a>&nbsp;and specific&nbsp;<a href=\"https:\/\/calligo.cloud\/services\/data-privacy-services\/data-privacy-regulation-services\/\">data privacy regulations assistance<\/a>, and importantly,&nbsp;<a href=\"https:\/\/calligo.cloud\/services\/data-privacy-services\/data-privacy-regulation-services\/gdpr-services\/\">GDPR services.&nbsp;<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CNIL, French data protection agency, handed Google the largest ever GDPR  fine (\u20ac50m) for its lack of transparency in how it collected &#038; used personal data<\/p>\n","protected":false},"author":33,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[142,140,141,121],"tags":[],"post_format_type":[40],"class_list":["post-1845","post","type-post","status-publish","format-standard","hentry","category-data-governance","category-data-privacy-glossary","category-data-protection","category-glossary"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Data Privacy News: Two lessons from CNIL fining Google under GDPR | Calligo<\/title>\n<meta name=\"description\" content=\"CNIL, French data protection agency, handed Google the largest ever GDPR fine (\u20ac50m) for its lack of transparency in how it collected &amp; used personal data\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.calligo.io\/insights\/glossary\/data-privacy-news-two-lessons-from-cnil-fining-google-under-gdpr\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Data Privacy News: Two lessons from CNIL fining Google under GDPR | Calligo\" \/>\n<meta property=\"og:description\" content=\"CNIL, French data protection agency, handed Google the largest ever GDPR fine (\u20ac50m) for its lack of transparency in how it collected &amp; used personal data\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.calligo.io\/insights\/glossary\/data-privacy-news-two-lessons-from-cnil-fining-google-under-gdpr\/\" \/>\n<meta property=\"og:site_name\" content=\"Calligo\" \/>\n<meta property=\"article:published_time\" content=\"2019-01-31T14:06:29+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-01-18T14:44:23+00:00\" \/>\n<meta name=\"author\" content=\"Brendan Walsh\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@calligocloud\" \/>\n<meta name=\"twitter:site\" content=\"@calligocloud\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Brendan Walsh\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.calligo.io\/insights\/glossary\/data-privacy-news-two-lessons-from-cnil-fining-google-under-gdpr\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.calligo.io\/insights\/glossary\/data-privacy-news-two-lessons-from-cnil-fining-google-under-gdpr\/\"},\"author\":{\"name\":\"Brendan Walsh\",\"@id\":\"https:\/\/www.calligo.io\/#\/schema\/person\/e2e0283a3e6c3a237a10e012c081755f\"},\"headline\":\"Data Privacy News: Two lessons from CNIL fining Google under GDPR\",\"datePublished\":\"2019-01-31T14:06:29+00:00\",\"dateModified\":\"2024-01-18T14:44:23+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.calligo.io\/insights\/glossary\/data-privacy-news-two-lessons-from-cnil-fining-google-under-gdpr\/\"},\"wordCount\":934,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.calligo.io\/#organization\"},\"articleSection\":[\"Data Governance\",\"Data Privacy\",\"Data Protection\",\"Glossary\"],\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.calligo.io\/insights\/glossary\/data-privacy-news-two-lessons-from-cnil-fining-google-under-gdpr\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.calligo.io\/insights\/glossary\/data-privacy-news-two-lessons-from-cnil-fining-google-under-gdpr\/\",\"url\":\"https:\/\/www.calligo.io\/insights\/glossary\/data-privacy-news-two-lessons-from-cnil-fining-google-under-gdpr\/\",\"name\":\"Data Privacy News: Two lessons from CNIL fining Google under GDPR | Calligo\",\"isPartOf\":{\"@id\":\"https:\/\/www.calligo.io\/#website\"},\"datePublished\":\"2019-01-31T14:06:29+00:00\",\"dateModified\":\"2024-01-18T14:44:23+00:00\",\"description\":\"CNIL, French data protection agency, handed Google the largest ever GDPR fine (\u20ac50m) for its lack of transparency in how it collected & used personal data\",\"breadcrumb\":{\"@id\":\"https:\/\/www.calligo.io\/insights\/glossary\/data-privacy-news-two-lessons-from-cnil-fining-google-under-gdpr\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.calligo.io\/insights\/glossary\/data-privacy-news-two-lessons-from-cnil-fining-google-under-gdpr\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.calligo.io\/insights\/glossary\/data-privacy-news-two-lessons-from-cnil-fining-google-under-gdpr\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.calligo.io\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Data Privacy News: Two lessons from CNIL fining Google under GDPR\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.calligo.io\/#website\",\"url\":\"https:\/\/www.calligo.io\/\",\"name\":\"Calligo\",\"description\":\"Building value through data\",\"publisher\":{\"@id\":\"https:\/\/www.calligo.io\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.calligo.io\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.calligo.io\/#organization\",\"name\":\"Calligo\",\"url\":\"https:\/\/www.calligo.io\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.calligo.io\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.calligo.io\/wp-content\/uploads\/2023\/04\/calligo-og.jpg\",\"contentUrl\":\"https:\/\/www.calligo.io\/wp-content\/uploads\/2023\/04\/calligo-og.jpg\",\"width\":1200,\"height\":630,\"caption\":\"Calligo\"},\"image\":{\"@id\":\"https:\/\/www.calligo.io\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/calligocloud\",\"https:\/\/www.linkedin.com\/company\/calligo-limited\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.calligo.io\/#\/schema\/person\/e2e0283a3e6c3a237a10e012c081755f\",\"name\":\"Brendan Walsh\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.calligo.io\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/299d5b23f0682aabb1a2347ddf8b95df04b22cfec378aea17a8f7395c74b2bc8?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/299d5b23f0682aabb1a2347ddf8b95df04b22cfec378aea17a8f7395c74b2bc8?s=96&d=mm&r=g\",\"caption\":\"Brendan Walsh\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Data Privacy News: Two lessons from CNIL fining Google under GDPR | Calligo","description":"CNIL, French data protection agency, handed Google the largest ever GDPR fine (\u20ac50m) for its lack of transparency in how it collected & used personal data","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.calligo.io\/insights\/glossary\/data-privacy-news-two-lessons-from-cnil-fining-google-under-gdpr\/","og_locale":"en_GB","og_type":"article","og_title":"Data Privacy News: Two lessons from CNIL fining Google under GDPR | Calligo","og_description":"CNIL, French data protection agency, handed Google the largest ever GDPR fine (\u20ac50m) for its lack of transparency in how it collected & used personal data","og_url":"https:\/\/www.calligo.io\/insights\/glossary\/data-privacy-news-two-lessons-from-cnil-fining-google-under-gdpr\/","og_site_name":"Calligo","article_published_time":"2019-01-31T14:06:29+00:00","article_modified_time":"2024-01-18T14:44:23+00:00","author":"Brendan Walsh","twitter_card":"summary_large_image","twitter_creator":"@calligocloud","twitter_site":"@calligocloud","twitter_misc":{"Written by":"Brendan Walsh","Estimated reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.calligo.io\/insights\/glossary\/data-privacy-news-two-lessons-from-cnil-fining-google-under-gdpr\/#article","isPartOf":{"@id":"https:\/\/www.calligo.io\/insights\/glossary\/data-privacy-news-two-lessons-from-cnil-fining-google-under-gdpr\/"},"author":{"name":"Brendan Walsh","@id":"https:\/\/www.calligo.io\/#\/schema\/person\/e2e0283a3e6c3a237a10e012c081755f"},"headline":"Data Privacy News: Two lessons from CNIL fining Google under GDPR","datePublished":"2019-01-31T14:06:29+00:00","dateModified":"2024-01-18T14:44:23+00:00","mainEntityOfPage":{"@id":"https:\/\/www.calligo.io\/insights\/glossary\/data-privacy-news-two-lessons-from-cnil-fining-google-under-gdpr\/"},"wordCount":934,"commentCount":0,"publisher":{"@id":"https:\/\/www.calligo.io\/#organization"},"articleSection":["Data Governance","Data Privacy","Data Protection","Glossary"],"inLanguage":"en-GB","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.calligo.io\/insights\/glossary\/data-privacy-news-two-lessons-from-cnil-fining-google-under-gdpr\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.calligo.io\/insights\/glossary\/data-privacy-news-two-lessons-from-cnil-fining-google-under-gdpr\/","url":"https:\/\/www.calligo.io\/insights\/glossary\/data-privacy-news-two-lessons-from-cnil-fining-google-under-gdpr\/","name":"Data Privacy News: Two lessons from CNIL fining Google under GDPR | Calligo","isPartOf":{"@id":"https:\/\/www.calligo.io\/#website"},"datePublished":"2019-01-31T14:06:29+00:00","dateModified":"2024-01-18T14:44:23+00:00","description":"CNIL, French data protection agency, handed Google the largest ever GDPR fine (\u20ac50m) for its lack of transparency in how it collected & used personal data","breadcrumb":{"@id":"https:\/\/www.calligo.io\/insights\/glossary\/data-privacy-news-two-lessons-from-cnil-fining-google-under-gdpr\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.calligo.io\/insights\/glossary\/data-privacy-news-two-lessons-from-cnil-fining-google-under-gdpr\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.calligo.io\/insights\/glossary\/data-privacy-news-two-lessons-from-cnil-fining-google-under-gdpr\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.calligo.io\/"},{"@type":"ListItem","position":2,"name":"Data Privacy News: Two lessons from CNIL fining Google under GDPR"}]},{"@type":"WebSite","@id":"https:\/\/www.calligo.io\/#website","url":"https:\/\/www.calligo.io\/","name":"Calligo","description":"Building value through data","publisher":{"@id":"https:\/\/www.calligo.io\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.calligo.io\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/www.calligo.io\/#organization","name":"Calligo","url":"https:\/\/www.calligo.io\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.calligo.io\/#\/schema\/logo\/image\/","url":"https:\/\/www.calligo.io\/wp-content\/uploads\/2023\/04\/calligo-og.jpg","contentUrl":"https:\/\/www.calligo.io\/wp-content\/uploads\/2023\/04\/calligo-og.jpg","width":1200,"height":630,"caption":"Calligo"},"image":{"@id":"https:\/\/www.calligo.io\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/calligocloud","https:\/\/www.linkedin.com\/company\/calligo-limited\/"]},{"@type":"Person","@id":"https:\/\/www.calligo.io\/#\/schema\/person\/e2e0283a3e6c3a237a10e012c081755f","name":"Brendan Walsh","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.calligo.io\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/299d5b23f0682aabb1a2347ddf8b95df04b22cfec378aea17a8f7395c74b2bc8?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/299d5b23f0682aabb1a2347ddf8b95df04b22cfec378aea17a8f7395c74b2bc8?s=96&d=mm&r=g","caption":"Brendan Walsh"}}]}},"_links":{"self":[{"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/posts\/1845","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/users\/33"}],"replies":[{"embeddable":true,"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/comments?post=1845"}],"version-history":[{"count":0,"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/posts\/1845\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/media?parent=1845"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/categories?post=1845"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/tags?post=1845"},{"taxonomy":"post_format_type","embeddable":true,"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/post_format_type?post=1845"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}