By Wayne Matus – SafeguardGDPRTM
23 January 2019

Was the CNIL’s rejection of Google’s selection of Ireland as its principle place of business in Europe under Article 4(16)(a) correct?

We first look at the decision, then the law and then the practical implications. What is our conclusion? The CNIL’s rejection of Ireland appears to have been wrong, but its decision should cause you to consider the location of your business processes.

THE DECISION

The CNIL first determined that objective criteria determine the principle place of business, and not the location of the head office – and stated that forum shopping is not authorized.

The CNIL then noted that Google Ireland had little decision-making power over the purposes and means of the privacy policy when an account is created with Google, only financial and accounting activities and the sale of ad space. Google Ireland was not mentioned in the Privacy Policy as the entity that made the main privacy decisions. Google Ireland did not have a data protection officer in charge of EU processing.

Accordingly, the CNIL stated: “In light of all of these elements, the Restricted Panel considers that Google Ireland Limited cannot be considered to be the principal place of business of Google LLC. in Europe within the meaning of Article 4 (16) of the GDPR …. In the absence of a principal establishment allowing the identification of a lead authority, the CNIL was competent to initiate this procedure and to exercise all of its powers under Article 58 of the GDPR.”

https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT00003803 2552&fastReqId=2103387945&fastPos=1

THE LAW

The text of Article 4(16)(a) does not appear to support the CNIL’s decision to reject Google’s choice of Ireland. The CNIL finds solid support in the clear language of Article 4(16)(a) for its initial determination that it is not the headquarters, but where “the decisions on the purposes and means of the processing of personal data” are taken, that matters for the designation of the “main establishment.” This proposition is grounded in traditional common law logic as well. For example, in Hertz Corp. v. Friend, 559 U.S. 77 (2010) the US Supreme Court held that  corporation’s principal place of business is “the place where a corporation’s officers direct, control, and coordinate the corporation’s activities. It is the place that Courts of Appeals have called the corporation’s ‘nerve center.’”

However, the CNIL’s determination that Google’s did not have a “main establishment” in the Union is highly questionable when one looks at the language of Article 4. Under Article 4(16)(a) a main establishment means “as regards a controller with establishments in more than one Member State, the place of its central administration in the Union ….” Since the CNIL acknowledges that Google conducts its sales, financial and accounting activities in Ireland, it is hard to argue that Ireland is not the place of Google’s “central administration” in the Union.

Under Article 4(16)(a), the main establishment is only shifted from the location of “central administration” if there is “another establishment of the controller in the Union and the latter establishment has the power” to make “the decisions on the purposes and means of the processing of personal data ….” As the CNIL has already determined that there is no such location in the Union, Google’s original designation should be respected. Article 4 only applies the location of “decisions on the purposes and means of the processing” test to shift the location of the “main establishment,” not initially to determine the location. So, if there is no “purposes and means” location for privacy administration in the Union, the “main establishment” remains the place of central administration.

Recital 36 of the GDPR is consistent with the logic applied by the CNIL: “The principal establishment of a controller in the Union should be determined on the basis of objective criteria and should involve the actual and effective exercise of management activities determining the main decisions as to the purposes and means of treatment in the context of a stable device.” However, it seems to be a bit of a stretch to read the Recital to mean that the application of objective criteria could result in no location being the “principal establishment.”

If this analysis is right, the CNIL lacked authority to take jurisdiction on the grounds that Ireland was not the main establishment.

Since, the CNIL’s decision can be appealed to the Council of State, Google will have to consider if it should take an appeal or make a more aggressive move against the CNIL in another forum. Not a simple decision considering one does not wish to burn relationships with a regulator.

PRACTICAL IMPLICATIONS

Many non-Union corporations have designated a “main establishment” in the Union based upon the “central administration” or “nerve center” concept. There is considerable precedent for applying this type of thinking in the law in myriad instances, and the GDPR applies it in the first instance as well. Where the GDPR is different is in its shifting of the “main establishment” in the Union to another location in the Union where privacy functions are located in another Union member. Where the CNIL is different is in voiding the “main establishment” selection in the Union if it does not have privacy functions.

A non-Union corporation that wishes to maintain its “main establishment” in the Union under the GDPR in the location where it has its primary business activities should move significant privacy activities to that location. To be safe, it ought to consider placing a privacy officer with real authority in that location, mentioning that location in its privacy policies and handling inquiries under the GDPR from that location.

 

Edition 2 | 2019 (c)2019 SafeGuardGDPR, LLC. All rights reserved. Confidential.