Google LLC – €325,000,000 Fine (France, 2025)

Google LLC is a multinational tech company that has developed services such as the Google search engine and Gmail mail. In this case, Google LLC and Google Ireland Limited are joint controllers. A data subject (represented by noyb) brought a complaint to the DPA in August 2022, on the grounds that they received advertising emails in the “Promotions” tab of their Gmail account without consent. The DPA carried out on-site investigations in September 2023. The controller argued that the DPA was not competent, as the case involves cross border processing of personal data. Therefore, the GDPR is applicable, and the lead supervisory authority is the Irish DPA. Furthermore, Google Ireland Limited was the controller, rather than Google LLC and Google France. The DPA first clarified matters of material and territorial competence. The DPA stated that the case involved the provision of publicly available electronic communications services via the public electronic communications network within the EU. This case fell under the scope of the ePrivacy Directive and not the GDPR. In the absence of a one stop shop mechanism, the DPA was responsible for monitoring the application of the ePrivacy Directive regarding processing in the context of the activities of an establishment of a cross-border entity on French territory. The DPA considered Google France as the establishment of the controller on French territory, taking into account the CJEU’s flexible interpretation of establishment. The DPA then stated that Google Ireland International and Google LLC jointly determined the purposes and means of the processing operations of Google’s services to data subjects residing in France, and held them accountable as joint controllers under Article 4(7) GDPR. The DPA found a violation of [https://www.cnil.fr/fr/le-cadre-national/la-loi-informatique-et-libertes#article82 Article 82 of the French Data Protection Act] (transposing Article 5(3) ePrivacy Directive), as the consent of users