On 21 January 2019 the French data protection regulator CNIL imposed a financial penalty of 50 Million euros against Google LLC under the GDPR legislation. This is the first case involving a significant fine against a well-known company and provides some poignant lessons for other businesses in their efforts to remain fully GDPR compliant.
Reasons for the CNIL decision
The reasons behind the decision were, according to the official CNIL website, the “lack of transparency, inadequate information and lack of valid consent in relation to the ads personalisation”, and it highlights how important it is to have easily accessible, clear, non-ambiguous and comprehensive privacy notices available to users (including language on types of data, legal basis, retention periods, etc.) as well as the right consent mechanisms for each specific purpose of processing without pre-ticked boxes. We, not long ago, covered the advertising dos and don'ts as part of our Cyber Week series so that our client network were in the best position to make the most of this lucrative trading period without failing in their GDPR compliance. It is a stark reminder to all that even the most well-resourced brands can get it wrong. If you’re not absolutely clear on your GDPR compliance you may like to make use of our handy quick and easy to use GDPR Checklist tool.
Background to the case
The case started with two group complaints received by CNIL, and there is no doubt that there are many cases at the moment being investigated by various European Data Protection Authorities, including the Information Commissioner’s Office (ICO) in the UK. The GDPR establishes a “one-stop-shop” mechanism where a data controller typically deals with the data protection authority in the country where its main establishment is based and this is the “lead authority” that would coordinate any cooperation of other data protection authorities in relation to decisions concerning cross-border processing. It appears that CNIL discussed with other data protection authorities within the EU, including the Irish data protection authority where Google European headquarters are based, and it was decided that the “one-stop-shop” mechanism was not applicable, specifically in the context of the operating system Android and the set up of Google accounts on mobile devices, so CNIL had the authority to investigate the complaints and take appropriate action against Google. Following the investigation, including online inspections, the following violations of the GDPR and the French Data Protection Act were observed by CNIL:
"A violation of the obligation of transparency and information"
CNIL held that the information provided by Google was not easily accessible to its users. Essential information, such as the purposes of data processing, data storage periods and categories of personal data used for ad personalisation were “excessively disseminated” across several documents. The relevant information was only accessible after a number of steps, sometimes as many as 5 or 6 (such as geo-tracking service). In addition, some information was seen to be “not always clear nor comprehensive”. CNIL stated that users would not be able to fully understand the extent of the processing operations, bearing in mind that such processing is seen as “particularly massive and intrusive” due to the number of services offered, around 20, the amount and the nature of the data processed and combined. The purposes, legal basis for processing, as well as the categories of data processed stated in the documents were considered to be too generic and vague and the retention periods information was not sufficient.
"A violation of the obligation to have a legal basis for ad personalisation processing"
Appointing a new company director is more complex when compared with onboarding an employee. There are several steps you need to take to ensure com...
LawBite can help you
LawBite is on a mission to provide business legal advice that is easier to access, clearer to understand and much cheaper. Our on-line legal advice platform can quickly connect you with expert business legal advice. Our friendly, highly qualified business lawyers, solicitors and mediators will give you the guidance and reassurance that comes from customised legal advice for small and medium sized business.
Whether you are bringing or defending a legal claim, outsourcing work, want a business contract review to ward off disagreements, talk to an expert trademark lawyer, resolve a contractual dispute with methods like mediation and arbitration, or getting your new company set up and on the right footing with a robust shareholder agreement and GDPR standards, we can help you succeed.
Lawbit Limited (trading as LawBite)
Correspondence Address: Studio 403, 332 Ladbroke Grove, London W10 5AD
Registered Address: 39 Long Acre, London, England, WC2E 9LG
Our lawyers provide legal advice working through Lawbriefs Ltd.
Lawbriefs Ltd is authorised and regulated by the Solicitors Regulation Authority (SRA number 622808)