The French Commission nationale de l’informatique et des libertés (National Commission for Information Technology and Civil Liberties; ‘the CNIL’) has handed Google a major GDPR fine. The fine is for €50 million and Google has already said that it will appeal. This is not the first time that the CNIL has issued Google with large fines. However, two weeks ago, Google successfully overturned a previous CNIL judgement at the Court of Justice of the EU.
The press release states: “On 21 January 2019, the CNIL’s restricted committee imposed a financial penalty of 50 Million euros against the company GOOGLE LLC, in accordance with the General Data Protection Regulation (GDPR), for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.”
There are several things about this judgement that will get the attention of boardrooms around the world.
- The size of the fine
- That it took over six months to come to a judgement
- That the CNIL not the Information Commissioners Office in Ireland dealt with the case
- How long the appeal will take and the grounds that Google appeals on
What is this all about?
In May of last year, the CNIL received two complaints about Google. They came from privacy campaign groups None Of Your Business (NYOB)and La Quadrature du Net (LQDN). Both alleged that Google was processing personal data of European citizens without having a valid basis to do so. One of the uses of the data was ad personalisation.
Before taking the case, the CNIL asked Ireland’s ICO if they wanted to deal with it. This is because Google is based in Ireland. Under the EU one-stop-shop mechanism, Ireland would be the lead authority in cases like this. However, it was quickly established that Ireland was unable to deal with issues around Android and Google LLC. As a result, the CNIL implemented the European Framework set out by the European Data Protection Board’s guidelines.
An inspection of how Google handled privacy data and responded to requests from users was carried out in September. The CNIL notes that Google breached the GDPR on two counts.
Violation of the obligation of transparency and information: It takes up to 6 separate actions to find what Google holds on a user. In addition the data is confusing and incomplete. This is compounded by deliberate vagueness in the way the use of data and the purposes of processing are explained.
Violation of the obligation to have a legal basis for ads personalisation processing: Google claims is has sought and received user consent for ads personalisation. The CNIL says it has not. It claims that the way data is collected and the information provided means that: “consent is neither specific or unambiguous.”
No catch-all phrases: Requiring a user to tick boxes such as “I agree to Google’s Terms of Service” and “I agree to the processing of my information as described above and further explained in the Privacy Policy” is insufficient. The GDPR states consent is specific only if given distinctly for each purpose.
Lessons for those who acquire user data
There are several lessons here for those who acquire user data to deliver services. Some will require significant process changes, for others it will mean increased user interaction. The fear for many websites is that the more they ask for consent, the less they will get. Privacy campaigners see it differently. They believe that there should be no ambiguity and all requests for data access should be clear,.
Some of the lessons that websites will have to deal with are:
- Make it easier for users to get access to their data
- Remove any ambiguity over what data is being gathered and how it is to be used
- If the data is processed by third-parties, users need to be fully informed and allowed to opt-out
- When providing data to users, it must be clear, easily accessed and easy to read
- The use of catch-all boxes such as “I agree to xxx Terms of Service” and “I agree to the processing of my information as described above and further explained in the Privacy Policy” is insufficient.
In addition to this, companies need to make sure that the chosen Data Protection Authority can deal with all cases against it. Otherwise, it opens the door for other DPA’s to run investigations and levy fines.
The latter point is important. NOYB has already made 10 complaints about streaming services to the Austrian Data Protection Authority. It includes companies such as Apple, Amazon Prime and Spotify. These companies have their HQ’s in other EU countries. The question is, will the Austrian DPA seek to take control of all cases using the EPDB’s framework? If it does, and is successful, it will send a strong message across Europe about enforcement of the GDPR and the sharing of the workload.
Enterprise Times: What does this mean?
This is the first proper GDPR fine. It sets a benchmark against which other cases that are already underway will be measured. It also shows that obfuscation is no longer acceptable and that consent has to be very obviously specific. If not, companies risk the sort of fine that could significant impact their ability to survive.
However, there is a caveat here. This might look like a big fine but it could have been bigger. It also has to survive an appeal. This is why the detail of the CNIL judgement is important, especially the issue of catch-all tick boxes. These are used by many organisations and it is now likely that they will have to rethink how they gather consent.
There are also questions for organisations on how easy they make it for the user to see what consent they have given, how they can withdraw it and how they can gain access to their data. There are already cases in several countries over restricted access or attempts to continue to charge for access to data.
Until now, we have been in a phoney war where the Fear, Uncertainty and Doubt (FUD) from cyber security vendors has dominated. Every breach, irrespective of whether it could be prosecuted under the GDPR is touted as a major problem. Finally that phoney phase is over and the first major GDPR fine is in. There is a lot more to come and the CJEU is likely to be busy over the next few months.
