On 21 January 2019 the French data protection regulator CNIL imposed a financial penalty of 50 Million euros against Google LLC under the
GDPR legislation. This is the first case involving a
significant fine against a well-known company and provides some poignant lessons for other businesses in their efforts to remain fully GDPR compliant.
Reasons for the CNIL decision
The reasons behind the decision were, according to the official CNIL website, the “lack of transparency, inadequate information and lack of valid consent in relation to the ads personalisation”, and it highlights how important it is to have easily accessible, clear, non-ambiguous and comprehensive privacy notices available to users (including language on types of data, legal basis, retention periods, etc.) as well as the right consent mechanisms for each specific purpose of processing without pre-ticked boxes. We, not long ago, covered the
advertising dos and don'ts as part of our Cyber Week series so that our client network were in the best position to make the most of this lucrative trading period without failing in their GDPR compliance. It is a stark reminder to all that even the most well-resourced brands can get it wrong. If you’re not absolutely clear on your GDPR compliance you may like to make use of our handy quick and easy to use
GDPR Checklist tool.
Background to the case
The case started with two group complaints received by CNIL, and there is no doubt that there are many cases at the moment being investigated by various European Data Protection Authorities, including the Information Commissioner’s Office (ICO) in the UK. The GDPR establishes a “one-stop-shop” mechanism where a data controller typically deals with the data protection authority in the country where its main establishment is based and this is the “lead authority” that would coordinate any cooperation of other data protection authorities in relation to decisions concerning cross-border processing. It appears that CNIL discussed with other data protection authorities within the EU, including the Irish data protection authority where Google European headquarters are based, and it was decided that the “one-stop-shop” mechanism was not applicable, specifically in the context of the operating system Android and the set up of Google accounts on mobile devices, so CNIL had the authority to investigate the complaints and take appropriate action against Google. Following the investigation, including online inspections, the following violations of the GDPR and the French Data Protection Act were observed by CNIL:
"A violation of the obligation of transparency and information"
CNIL held that the information provided by Google was not easily accessible to its users. Essential information, such as the purposes of data processing, data storage periods and categories of personal data used for ad personalisation were “excessively disseminated” across several documents. The relevant information was only accessible after a number of steps, sometimes as many as 5 or 6 (such as geo-tracking service). In addition, some information was seen to be “not always clear nor comprehensive”. CNIL stated that users would not be able to fully understand the extent of the processing operations, bearing in mind that such processing is seen as “particularly massive and intrusive” due to the number of services offered, around 20, the amount and the nature of the data processed and combined. The purposes, legal basis for processing, as well as the categories of data processed stated in the documents were considered to be too generic and vague and the retention periods information was not sufficient.
"A violation of the obligation to have a legal basis for ad personalisation processing"
According to CNIL, Google stated that it obtained the user’s consent for ad personalisation purposes, however, the committee considered that the consent was not validly obtained. The information on processing for the ads personalisation was mentioned in several documents which did not help with the users being able to understand such information, therefore “the users’ consent is not sufficiently informed.” Secondly, the collected consent was deemed “neither “specific” nor “unambiguous”. Even though users were able to modify some options at the point of creating their account, the GDPR was not “respected” as the ads personalisation configurations were pre-ticked. The GDPR, however, states that consent is “unambiguous” when a clear affirmative action by the user is taken by ticking a non-pre-ticked box or similar. Finally, before creating an account, the user is asked to tick the box “I agree to Google’s Terms of Service” and “I agree to the processing of my information as described above and further explained in the Privacy Policy” at the point of creating an account. Therefore, the consent given is for all the processing operations carried out by Google (ads personalisation, speech recognition and others) whereas the GDPR provides that consent is only “specific” when given separately for each purpose. The amount of fine was said to be justified due to the “severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent.” It seems that
Google intend to appeal the fine and this too will give us all vital pointers on what the GDPR will mean to businesses in 2019.
Journey further