Don't Be Stupid: 3 Lessons from Google's Geographical GDPR Goof


Late last month, France's National Data Protection Commission (CNIL) — the nation's Data Protection Authority (DPA)  levied a record €50-million GDPR fine against Google. The GDPR violations at issue, per CNIL, arose from data abuses involving how users' Android accounts were configured, how their mobile data was handled, and how their consent to so handle their data was obtained.

The problem for Google (other than the fine itself): For the past 15 years, Google has designated Google Ireland Ltd., in Dublin, as the base of its European operations — so it had thought. Moreover, GDPR is known for a "one-stop shop mechanism" that generally allows organizations to be subject primarily to the DPA governing the member-state in which the organization's principal place of business within the EU is located. 

So why did France — a nation with over a billion tax-related reasons to despise Google — take the lead in this case over what might have been a much friendlier Ireland (which actually does get some of Google's tax dollars thanks to a nifty tax shelter that Google and other big-time multinationals take advantage of)? 

Because apparently Google screwed up big time. 

The complaint was brought in France. From there, CNIL found that all of Google's data collection and processing operations were taking place not in Ireland — or anywhere else in Europe — but at Google LLC's US headquarters in California.

Google, what does 'facepalm' mean?  

But wait! There's more! According to the CNIL's ruling (link in French), justifying its authority: 

  • Google's Android operating system "is developed solely by Google LLC" (i.e., Google in the US)
  • As of May 25, 2018, nowhere in its privacy policy does Google once so much as mention Google Ireland Ltd. or indicate that Google Ireland Ltd. is the main decision maker as to "the purposes and means of [relevant data] processing"
  • Google Ireland Ltd. didn't have a GDPR-mandated Data Protection Officer (DPO) to "be in charge of the processing of personal data" in the EU
  • In a letter dated more than six months after the GDPR action was brought against it, Google admitted in a letter mailed to Ireland's DPA (the Data Protection Commission, or DPC) that it would not finalize making Google Ireland Ltd. responsible for "certain processing of personal data concerning European citizens" until January 31, 2019. 

In other words, Google's principal place of EU business specifically related to the data practices at issue was in the US — where no EU member-state's DPA has inherent priority over another. Therefore, the nation that received the complaint — France — got the lead. 

How to keep a one-stop shop 

According to Deborah Shinbein Howitt, Director at Denver law firm Lewis Bess Williams & Reese, there are some takeaways here to help an international organization benefit from the "one-stop shop" jurisdiction it prefers — and not botch things so badly as to suffer Google's fate: 

1. Lead supervisory authorities aren't just "on paper" 

"[T]he company must ensure that the data controller and the key decision makers regarding personal data are in fact located in the desired country," says Shinbein Howitt. And, of course, if not all EU personal-data handling is controlled and decided upon in "the desired country," don't be surprised if a DPA from another member-state comes a-knockin'. 

2. Where's the DPO? 

Shinbein Howitt further points out that if a company is required to have a DPO to oversee the processing and/or control of EU personal data, one should make sure that that DPO is "located in the desired country where the decisions are made" (as per her suggestion above). 

3. Ubiquitous consistency 

Any company that wants a particular EU location to be treated as its EU principal place of business needs to keep its messaging consistent. Shinbein Howitt urges that such organizations "clearly list the applicable location as the responsible controller in its privacy policy" (to say nothing, to the extent legally possible, of doing the same in official correspondences). 

Note: This article is provided for informational, educational, and/or entertainment purposes only. Neither this nor other articles here constitute legal advice or the creation, implication, or affirmation of an attorney-client relationship. For actual legal advice, personally consult with an attorney licensed to practice in your jurisdiction.