The GDPR’s one stop shop principle put to the test in French Supreme Court confirmation of CNIL jurisdiction over Google Android case. The Court also rebukes the spaghetti bowl of consent ticking and unticking.

Thank you Gaetan Goldberg for flagging that the French Supreme Court has confimed on 19 June last, jurisdiction of the French Data Protection Agency (‘DpA’), CNIL for issuing its fine (as well as confirming the fine itself) imposed on Google for the abuse of data obtained from Android users. The Court was invited to submit preliminary references to the CJEU on the one-stop shop principle of  the GPDR, but declined to do so.

Readers of the blog know that my interest in the GDPR lies in the jurisdictional issues – I trust date protection lawyers will have more to say on the judgment.

With respect to the one stop shop principle (see in particular A56 GDPR) the Court held at 5 ff that Google do not have a ‘main establishment’ in the EU at least not at the time of the fine complained of, given that the Irish Google office (the only candidate for being the ‘main establishment) at least at that time did not have effective control over the use and destination of the data that were being transferred – US Google offices pulling the strings on that decision. A call by the CNIL under the relevant EU procedure did not make any of the other DPAs come forward as wanting to co-ordinate the action.

On the issue of consent the SC referred to CJEU Cc-673/17 Planet49 and effectively held that the spaghetti bowl of consent, ticking and unticking of boxes which an Android user has to perform to link a Google account to Android and hence unlock crucial features of Android, do not amount to consent or proper compliance with GDPR requirements.

Geert.

Territoriality and delisting. Google score (cautious) French points ahead of Thursday’s AG Opinion in CJEU case.

On Thursday the Advocate-General will opine in C-136/17 G.C. e.a. and  C-507/17 Google (FR) – on which I reported ia here. The issue is, in the main, the territorial scope of EU data protection laws.

X v Google LLC at the Tribunal de grande instance de Paris on 14 November 2018 is a good warm-up, forwarded to me (for which many thanks) by Jef Ausloos (I have copy for those interested). The case concerns an article in Le Monde linking a French resident, active in international hotel management, to a Moroccan enquiry into pedophilia. The court’s review of the facts suggests an unsubstantiated link between X and the case – yet the damage to claimant’s reputation evidently is done nevertheless. Claimant requests delinking not just for searches performed in France on all Google extensions, but rather for all searches performed globally.

The court first of all observes that for searches performed in France, delisting of many of the identified urls has already happened – and orders on the basis of French law (which it applies, it suggests, per the GDPR) Google LLC to carry out delisting for the others in as far as searches are carried out from French territory. X’s privacy is given priority over freedom of expression and Google LLC’s US domicile is not mentioned as being relevant (no verbatim discussion of same is recorded in the judgment. X’s French nationality and domicile however, are, hence presumably it is the infamous Article 14  Code Civil which is at play here). Google’s argument that the as listed urls link to articles in languages other than French and relating to facts taking place outside of France is dismissed as irrelevant.

Claimant however had requested global delisting, regardless of the user’s geographical location. That, the court holds, is a request it cannot grant. Its refusal is justified in one sentence only: a global delisting order would be disproportionate in the case of a French national and resident, simply because his employment record is international:

‘une telle mesure apparaît ici disproportionnée, s’agissant d’un résident français, le seul caractère international de ces démarches d’emploi ne pouvant justifier d’une telle restriction, qui conduirait in fine à soumettre le réseau internet à une injonction de portée globale.’ 

The judgment therefore does not tackle the conceptual issues surrounding jurisdiction (which the Belgian courts, for instance, have been tempted into in the Facebook case), neither does it rule out global injunctions in cases which have more than just a fleeting international element.

Happy 2019.

Geert.