A new press release out of France reports, “On 25 and 28 May 2018, the National Data Protection Commission (CNIL) received group complaints from the associations None Of Your Business (NOYB) and La Quadrature du Net (LQDN). LQDN was mandated by 10 000 people to refer the matter to the CNIL. In the two complaints, the associations reproach GOOGLE for not having a valid legal basis to process the personal data of the users of its services, particularly for ads personalization purposes.”
The release continues, “The CNIL immediately started investigating the complaints. On 1st June 2018, in accordance with the provisions on European cooperation as defined in the General Data Protection Regulation (“GDPR”), the CNIL sent these two complaints to its European counterparts to assess if it was competent to deal with them. Indeed, the GDPR establishes a “one-stop-shop mechanism” which provides that an organization set up in the European Union shall have only one interlocutor, which is the Data Protection Authority (“DPA”) of the country where its “main establishment” is located. This authority serves as “lead authority”. It must therefore coordinate the cooperation between the other Data Protection Authorities before taking any decision about a cross-border processing carried out by the company.”
It goes on, “In this case, the discussions with the other authorities, in particular with the Irish DPA, where GOOGLE’s European headquarters are situated, did not allow to consider that GOOGLE had a main establishment in the European Union. Indeed, when the CNIL initiated proceedings, the Irish establishment did not have a decision-making power on the processing operations carried out in the context of the operating system Android and the services provided by GOOGLE LLC, in relation to the creation of an account during the configuration of a mobile phone.”
Read more here.
Image used under license from Shutterstock.com