CNIL’s Decision Fining Google Violates One-Stop-Shop

Abstract

On 21 January 2019, the French Data Protection Supervisory Authority (CNIL) imposed a penalty of 50 million euros on Google. In its assessment, the CNIL considered itself competent to rule on complaints filed in France alleging unlawful processing of personal data by Google. The decision was made despite the fact that the complaints concerned a ‘cross-border processing’ in the EU, in respect of which the General Data Protection Regulation (GDPR) provides for a ‘one-stop-shop’ enforcement mechanism (1SS) by the supervisory authority (SA) of the ‘main establishment’ of a company in the EU. In its decision, the CNIL considered that Google EU headquarters ‘did not have a decision-making power’ in relation to the relevant cross-border data processing activities to which the complaints related. For that reason the CNIL decided that the 1SS mechanism did not apply and that the CNIL was therefore competent to make a decision. This article questions whether the CNIL is right to require that, for the 1SS mechanism to apply, the EU administrative headquarters has to determine the purposes and means of the relevant cross-border processing. If that is correct, the 1SS mechanism will de facto not be available for non-EU controllers (such as Google), as their EU administrative headquarters will rarely independently decide on the purposes and means of its cross-border processing activities in the EU. This exposes these companies to a potential accumulation of fines for their cross-border processing activities, as each and every national SA would be able to fine the company up to the maximum allowed under GDPR. As the CNIL’s decision focusses on non-EU headquartered companies, it is overlooked that this decision also severely impacts the availability of the 1SS for EU headquartered companies, also exposing these companies to a potential accumulation of fines. As the CNIL’s decision will set a precedent for other enforcement actions, it is of paramount importance to evaluate its merits. Overall, this article opposes the interpretation given by the CNIL and proposes an understanding of the 1SS mechanism that is consistent with the rationale of the 1SS, the legislative history of the GDPR, and the regime for Binding Corporate Rules.