The French Data Regulator, CNIL, recently fined Google a record £44 million (50 million Euros) for breaching the EU’s data protection laws. Contributor Karen Holden, Founder – A City Law Firm.
This is making headline news because it is deemed to be a record fine for what is seen to be a major breach under the General Data Protection Regulations (GDPR) which came into force on 25 May 2018. What makes this case even more remarkable is that the complaints against Google in May 2018 were raised by two privacy rights groups in France, and against a company whose headquarters were and are in Ireland. The first complaint filed against Google claimed that Google did not have legal basis to process data for personalisation of advertisements.
How can a French regulatory fine an Irish Company?
Generally, you would expect the Irish regulator to have addressed this however, the CNIL found that the overarching decisions about the processing operations complained of (targeted advertising of Android users) were not made by Google’s Irish offices, or by anyone in the EU. It was discovered those were made by the US company. As this case was not about a data controller’s main EU establishment, CNIL was at liberty to take its own action. This conclusion was reached following communications with other EU supervisory authorities, including the Irish DPC.
CNIL quoted that the record fine was for “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.”
It was deemed by the watchdog that Google had not sufficiently informed people about how they were collecting personal data in order to use this in line with personalised advertising.
The lack of transparency goes to the heart of obtaining clear consent from an individual. The regulator decided that “essential information” was “disseminated across several documents.” This would therefore mean that individuals were not able to access all the information in a clear format but rather had to go through several steps to obtain the information, this process would mean that is wasn’t clear enough for users to understand Google’s processing operations.
The GDPR mandates organisations to have legal bases on which they collect and process data. In this case, the Regulator deemed that Google failed to have a valid legal basis to process individual’s data. They found that the option to personalise ads had been provided, except that the option was “pre-ticked” when creating a user account. This was fundamentality in breach of the GDPR.
Under the GDPR where ‘consent’ is being relied on as a legal basis for collecting and processing data, the consent must be unequivocal and require a positive indication by the individual. For consent to be valid, the information presented to the individual must also have been clear and transparent to allow them to make an informed decision. Consent must also be specific to the purpose it is being obtained for.
What can be learned from this?
It should be noted that this was not a case where Google had flagrantly breached the rules which led to the record fine. Google, like many other organisations had made changes to its operations and processes in the wake of the GDPR being implemented. This was a case where the CNIL decided that those measures taken by Google were not satisfactory.
Whereas in Germany, Knuddels was only fined 20,000 euro’s when its client data was hacked and released, because of the means in which the social network held it. The social network conceded before the turn of the first fine, under the new General Data Protection Regulation (DSGVO) that the fine was relatively mild, stated to be because of their cooperation with the authority
So, what is the defence – you made the effort, or you have cooperated with the investigation or both, perhaps that’s still not enough if you have the resources and funds to ensure compliance. This case relates to a very large establishment and the fine clearly reflects this, so how much we can rely on these lessons to apply to more modest companies is hard to gage.
The Google case though really sends a strong message which should be received loud and clear. Regulators have powers to levy huge fines on companies found to be in breach and they are willing to use it even outside of the companies housed jurisdiction.
On a technical note, it also highlighted a business practise which could be wrong for other organisations when dealing with ad personalisation and obtaining consent. It is certainly clear that an individual must specifically consent to the purpose for which their data will be used. A catch all indication of consent will not suffice. The ticked box rules for all purpose collection has been reiterated throughout 2017 and 2018, so it’s not surprising that a large establishment like Google should be penalised for not taking steps to amend this process.
What can we expect in the future?
Google commented that “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR.” This is a strong statement which may go some way in repairing the damage caused from the outcome of the CNIL investigation. Remember, the financial penalty is just one annoying (and expensive) facet of punishment, but Google are now contending with their other millions of users who may start to lose confidence in the company. In relation to business operations, this decision can now impact the online advertising revenues for Google.
It remains to be seen what consequences will follow on appeal. This case has certainly sent ripples throughout the tech world and how data is being collected and used properly. The GDPR is not simple to understand and there will lessons to learn over the next few years once Regulator have taken more decisions. Only then will we learn on the best ways to implement it.