On 21 January 2019, the French Data Protection Authority (CNIL) hit Google LLC with an incredible fine of €50m. Implications of the decision for online account management and marketing will no doubt be discussion points for some time to come.
Since the GDPR entered into force, everyone’s been waiting to see which European Data Protection Authority (or DPA) would make use of the huge fines allowable under GDPR (the greater of €20m or 4% of global turnover), and to see what kind of violations would provoke large fines.
On 21 January 2019, we had the answer. CNIL, the French DPA, has hit Google LLC with an incredible fine of €50m. There are several interesting aspects of this case to unpack.
The complaint was filed on behalf of 10,000 users by Max Schrems’ non-profit organization NOYB (“None of your business”). Yes, that’s the same Max Schrems whose legal claim tore down the EU-US Safe Harbor mechanism, now replaced with Privacy Shield. This is the first time that a non-profit organization has taken action under Article 80 of the GDPR on behalf of users in the exercise of their rights.
It was interesting to see how CNIL coordinated its actions as set out under GDPR.
The complaint was initially submitted to CNIL in France and, as described in their announcement, ‘the CNIL immediately started investigating and sent these complaints to its European counterparts to assess if it was competent to deal with them’.
The Irish DPA, where Google’s European headquarters are situated, established that the Android operating system, and related services, were directly carried out by Google LLC and not by Google’s Irish subsidiary.
CNIL was therefore competent to take any decision regarding processing operations carried out by Google LLC, the US Parent company, and continued its investigation.
CNIL based its decision, and the huge fine, on what it called a ‘lack of transparency, inadequate information and lack of valid consent regarding the ads personalization’.
It’s worth noting that under GDPR ‘The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used’. Instead, CNIL said that the relevant information was accessible only after several steps, implying up to 5 or 6 actions (eg: for the geo-tracking service).
As important context here, CNIL’s decision states that ‘the processing operations are particularly massive and intrusive because of the number of services offered (about twenty), the amount and the nature of the data processed and combined’.
CNIL held the consent Google obtained to ad personalisation was invalid for 2 reasons. First, CNIL decided that the consent was not sufficiently informed, in that ‘it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, Youtube, Google home, Google maps, Playstore, Google pictures…) and therefore of the amount of data processed and combined’.
Secondly, when creating their account, users can click on a ‘More options’ button, but – surprisingly – in this section the choice to display personalised ads was pre-ticked. Pre-ticked check-boxes are specifically called-out by GDPR as unacceptable, with CNIL noting that ‘consent is “unambiguous” only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance).
And finally, when creating the account, the user has to give consent in full for all processing operations (ads personalization, speech recognition, etc.) whereas GDPR requires consent to be specific, give for each purpose.
This isn’t the first time Google’s privacy practices have come to the attention of EU regulators and will no doubt not be the last – Google is a clear and large target. Some aspects of the decision are unsurprising (the use of pre-ticked check-boxes, for example). However, it will be interesting to see the repercussions of some other aspects on common practice over 2019.