It has been rough weather for Google in France. Three weeks after the French ?Data Protection Authority imposed a record fine against Google for non-compliance with the GDPR, the Paris District Court ("Tribunal de Grande Instance") invalidated 38 clauses of Google's Privacy Policy and Terms of Use for Google+, the Internet-based social media network owned and operated by Google.  This decision was rendered on February 12, 2019 in an action that was initiated against Google Inc. in 2014 by an old French consumer not-for-profit organization, UFC QueChoisir. It took 4 years for the case to get to trial, and an additional 11 months to issue a 136 pages long decision, which is quite unusual according to French standards.  The court invalidated 38 of the Privacy Policy and Terms of Use clauses for Google+, which amounts to more than half of the total  number of clauses. The clauses were invalidated on various grounds, including non-compliance with the French Consumers Code, Data Protection Law and Intellectual Property Code. If you would like to know more about the IP issues that were discussed in the case, you can read our blog post here.  This decision does not come as a surprise. In August last year, UFC QueChoisir already obtained from the same panel of judges a decision which invalidated more than 250 clauses of Twitter's Terms of Use.  In this post, we are going to analyze the clauses which were held contrary to the French Data Protection Law. The court reviewed the clauses of the Privacy Policy and Terms of Use in the versions that were published between November 2013 and August 2016 and applied the French Data Protection law as it stood at that time, before it was put in line with the GDPR but the decision is nevertheless interesting because the findings would probably be the same under the GDPR version of the law.

Google failed to inform its users adequately about purposes and recipients

In line with the 1995 Data Protection Directive, the French Data Protection Law required the data controller to inform data subjects about a number of things, including the purposes of the data processing and the recipients of the data.  As regards, the purposes of the processing, clause 1 of the Privacy Policy stated that Google used the data "to improve our services" in various ways, including to send more relevant adverts and simplify and accelerate the sharing of information with other users.  The court held that Google derives most of its revenues from targeted advertising, that is the main purpose of the processing, but that the clause was too vague and general.  Clause 4 of the Privacy Policy stated that "the data we collect are used in order to improve the services proposed to users" and here, the court went further and implied that the clause was misleading since it was "abusive" to put forward the improvement of services "despite the fact that the real and main purpose of the collection is to organize targeted advertising".  As regards recipients of the data, the court held that the clauses did not provide any information about the recipients of the data.

Transfer of data outside of the EU: "numerous countries" not sufficient

The French Data Protection Law provided at that time (but this remains true under the GDPR), that the transfer of the data outside of the EU was only allowed if the country of destination provided an adequate level of protection or if certain precautions were taken.  Clause 19 of Google+ Privacy Policy stated: "we process your personal data on Google servers which are located is numerous countries of the world. Your personal data may be processed on a server located outside of your country of residence".  The court held that the clause was illegal because it did not list the countries to which the data is transferred and Google assumed that the users implicitly consented to such transfer.

Right of access, rectification and deletion: a right not a courtesy

The data subjects' rights to have access to their data and get the controller to rectify of delete it was very important right under the 1995 Directive and remains fundamental under the GDPR. There is an obligation to inform data subjects about their rights.  Article 23 of Google+ Privacy Policy stated "when you use our services, we wish you to have access to your personal data".  The court held that by presenting access to data as a possibility offered by Google rather than as a right, Google had violated the law.  For the same reason, the court also invalidated Clause 24 of the Terms of Use, which stated: "For us, you remain the owner of the data entrusted to us and we believe it is important that you should have access to your data".  Article 23 of the Privacy Policy also stated "If the data is inaccurate, we make sure that you can update it quickly or delete it, except if we have to retain the data for legitimate business purposes or if required under law".  The court held that this clause was contrary to the user's right to rectify the data.  Clause 22 of the Privacy Policy stated "Remember that when you share information publicly, the information may be indexed by search engines such as Google. Our services offer you several possibilities to share and delete your contents".  You may wonder what is wrong with this change. It seems to state a fact about how search engine work and to give information about possibilities offered to users. However, the Paris court held that it was illegal or abusive. The court referred to the decision rendered by the European Court of Justice on May 13, 2014 in the Google Spain case which created the right to be forgotten and said that Google should have informed users about their right to have their data erased and should not have assumed that users implicitly consented to their data becoming public.

Cookies: not too many hyperlinks before getting to the information

Article 12 of the Privacy Policy informed users that Google used "cookies and similar technologies", mentioned Google Analytics and Double Click and stated, "if you would like to know more about how you can have access to the information related to your Google account, how you can manage and delete the information, please read the Transparency & Freedom of Choice section of this Policy".  The Court said that the Data Protection Law required Google to inform its users in a clear and exhaustive manner about cookies and about how to refuse them and that the users had to consent to the use of cookies. Google had failed to provide that information: there were some explanations about how to object but users had to click on several hyperlinks before they could get the information.

The Practical Effect of Paris Court's Decision

One might take the view that the decision will have limited impact since Google announced last year that it would sunset the consumer version of its social media network effective on April 2, 2019. However, the impact of this decision is potentially much broader, because these clauses do not apply to Google+ only, they are also part of the common terms and policies which govern Google services generally.  UFC QueChoisir announced after this decision that "considering this decision and the fine ordered by the French Data Protection Authority on January 21st, 2019 [50 million fine under the GDPR], they now intend to seek a meaningful remedy for each individual consumer, in addition to the 30,000 euros damages awarded by the court for the damage caused to the collective interests of consumers".  It looks like Google is not out of the French woods. European woods are currently not very welcoming either: on the basis of antitrust legislation, the European Commission just fined Google €1.49 billion for abusive practices in online advertising.

To view Foley Hoag's Security, Privacy and The Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.