On January 21,2019 the French data protection authority (the CNIL) imposed a major fine on the U.S. Google entity, Google LLC. It follows two complaints filed as soon as the GDPR came into force by two consumer rights associations, None of Your Business and La Quadrature du Net.
Google argued that the Irish DPC should have investigated and enforced the complaints that led to this decision. The CNIL:
- was clear that, for the one stop shop to even be an option, the EU establishment claiming to be the main establishment in the lead authority member state must have decision-making power over the processing of personal data at stake;
- As a result, any EU data protection authority (DPA) had the ability to investigate and enforce in relation to the infringements in its jurisdiction, and the CNIL investigated and enforced the French infringements. The fine was imposed on Google LLC but sent to Google France for implementation (presumably as Google LLC’s presumed or agreed EU representative).
Other controllers should review the determinations they have made about lead authorities, focusing on the Art 29 WP guidance. It is possible for there to be different lead authorities for different processing activities within the same group, which can make this very complex.
If the processing is controlled from outside the EU, appointing an EU representative is required (which appears to have the advantage of allowing breach notification solely to the DPA in the EU representative’s member state). A clear position on this is essential for breach reporting, given that decisions as to which authority to notify need to be made within 72 hours.
Consent tick boxes
When configuring an Android device the user is invited to create, or sign into, a Google account. To avoid creating the account the user had to click “ignore”, whereupon the user was told of the benefits of using a Google account with the Android device before being able to proceed further.
The CNIL did not accept that this amounted to specific and unambiguous consent on the basis that:
- the user was asked to consent to a very wide range of processing;
- in order to make the consent more granular, he/she had to take proactive steps to click to another “hidden” layer; and
- the ads personalization box was pre-ticked. In order to be compliant, the consent journey would have needed to have offered the user the specific consent options unticked before offering a final unticked box which would allow the user to consent to/ not consent to all the different purposes.
The CNIL’s position on consent echoed its Vectaury decision where it was critical of any overstated downsides in not giving consent, and gave the same message about pre-selected tick boxes.
Consent gathering methods for email marketing are now usually in line with these requirements. The position is, however, less clear in relation to many ad tech consent gathering mechanisms, where it is common to provide for group consent to different purposes under a single “I accept” button.
Since the GDPR came into force the CNIL has given five formal notices to ad tech companies in relation to their consent-gathering mechanisms. Both ad tech companies and publishers should be assessing whether any changes are now required.
Google has to cover a lot of products and data uses in its privacy documentation. Its efforts to make these digestible and accessible did not satisfy the CNIL. The CNIL described Google’s processing as “particularly massive and intrusive” and capable of revealing with a significant degree of precision many of the most intimate aspects of a person’s life, which required the privacy notice to be particularly clear and intelligible.
- it did not bring home how extensive the intrusion into the user’s private life could be – rather, it used vague high-level descriptions;
- the title for the section of the policy on retention periods was “Export and delete your information”. The CNIL did not think users would expect this to include retention periods. In addition, some retention categories did not specify duration or criteria for determining the duration.
- These failings also meant that the consent was not informed.
Such failings should be easier to avoid for controllers with less extensive and less complicated data collection practices.
The grace period (if there was one) for articulating retention periods into privacy polices appears to be over, and controllers should be looking to add more detail to this part of their privacy policies.
Level of fine
€50 million is a massive fine by EU standards. The CNIL cited the following reasons for the amount of the fine:
- the centrality of the information, transparency and lawful basis principles to data protection, and that Google’s infringement was in the top fining tier under the GDPR;
- the breach was not one-off or spontaneous – it was ongoing;
- a large amount of personal data relating to a large number of data subjects was involved (millions of users in France) from a multiplicity of sources;
- the information was particularly enlightening about data subjects’ lifestyles, opinions and social interactions, and therefore closely affected their identity and privacy;
- the lack of transparency and consent to personalized advertising processing is counter to the legitimate aspirations of individuals who want to retain control of their personal data – this control being one of the major thrusts of the GDPR; and
- Google’s business model is partly based on personalized ads and therefore it has a particular responsibility to operate it in compliance with the GDPR.
The fine only relates to the French processing, and it remains to be seen if any other DPA will seek to impose fines for their jurisdiction (given that the CNIL is not competent in these circumstances to impose fines in respect of infringements in other member states).
No indication is given as to how the fine was calculated, nor as to how important each of the cited factors was. If Google appeals, with luck, the appeal judgment may shed more light.
Finally, it would appear that any unofficial implementation period enforcement amnesties are ending.
For more information
The CNIL press release on the decision is in English. The full decision is only in French.