What CNIL’s recent judgement against Google tells us about Main Establishment
As the GDPR is less than a year old, it is very useful to look at the activity of the various supervisory authorities to see how they are implementing the regulation. A first hand example of what enforcement looks like.
The recent fine that the French Data Protection regulator (CNIL) hit Google with (€50m) looks like it will have lasting repercussions on the entire AdTech industry but it is also worth looking at what it says about the territorial scope of the GDPR.
Google has its 'main establishment' in Dublin but CNIL still felt it was able to apply a direct fine to Google rather than go through the Irish Data Protection Commissioner. This seems to be at odds with the GDPR One Stop Shop mechanism. CNIL outline why they felt they could fine Google directly:
CNIL based its decision around a number of criteria:
Google Ireland has its HQ in Dublin, but CNIL wanted to know what level of decision making regarding the processing of 'personal data' was made at their Dublin offices. Namely:
"It is therefore necessary to assess the decision-making powers available to Google Ireland Limited to determine whether it qualifies as a principal place of business."
CNIL decided that even though Google Dublin has significant Finance, HR, Sales and advertising resources in place. It did not have:
"For users based in the European Economic Area or Switzerland, the data controller responsible for your information is Google Ireland Limited, unless otherwise stated in a service-specific privacy notice. In other words, Google Ireland Limited is the Google affiliate that is responsible for processing your information and for complying with applicable privacy laws."
Data Protection Officer
It should be no surprise that the presence of the DPO is also considered crucial. The DPO is a critical role in any organisation the size of Google and the fact it did not have one in Dublin - diminishes its claim that Dublin is its main establishment:
"It also points out that Google Ireland Limited did not appoint a data protection officer who would be in charge of the processing of personal data that it could implement in the European Union"
Supervisory Authority Co-operation
Google confirmed in their communication with the Irish DPC that full responsibility for the data processing would not be fully transferred to Dublin until the 31st of January 2019. This highlights the co-operation between the Irish and the French data protection authorities. You have been warnedl!
"the company itself indicated, by mail dated December 3, 2018 addressed to the DPC, that the transfer of responsibility of Google LLC. to Google Ireland Limited on certain processing of personal data concerning European citizens would be finalized on 31 January 2019"
So what does this tell us? If you want to use Ireland as your main establishment you need to:
- Make data processing decisions in Ireland and record these in meeting minutes that can subsequently be shared with Supervisory Authorities.
- Appoint a Data Protection Officer who is resident in Ireland
- Be conscious of supervisory authority co-operation.
Any questions about Main Establishment, get in contact with us below: