Norton Rose Fulbright - Data Protection Report blog

Five years after the commencement of legal proceedings against Google by leading French consumer association UFC Que Choisir, the Paris “Tribunal de Grande Instance” (TGI), in a decision dated 12 February 2019, issued its ruling on the legality of the Google+ Terms of Use and Privacy Rules, both with respect to consumer law and personal data protection regulations.

UFC asked the judges to declare Google’s policies unlawful and abusive, on the grounds that they did not respect consumers’ privacy and personal data. The court examined 209 clauses and declared 38 of them unlawful. It should be noted that the length of the legal proceedings meant that Google has already amended its terms of use and privacy policy, with a view to bringing them more in line with French and EU laws.

UFC Que Choisir also initiated legal proceedings against Twitter and Facebook. The TGI rejected 265 clauses from Twitter policies[1] and 430 from Facebook policies[2].

The key findings of the TGI in the Google case are set out below:

  1. The terms of use of a social network are subject to consumer law

Although no monetary payment was required to use Google+, the judges considered that such service was not “free of charge” since users provided their personal data to Google, which Google then monetised. Accordingly, the judges ruled that such personal data constituted goods from which Google derived an economic benefit in return for the service provided to users. The arrangement between the user and Google therefore constitutes a contract for pecuniary interest between a professional and a consumer and consumer law is therefore applicable.

  1. The real and primary purposes of the processing must be presented in the first block of information made available to the user

The judges criticised Google for not presenting the following information in the first level of information made available to the user: the recipients of the personal data, the methods of digital processing and, above all, the purposes for which the data is shared, in particular targeted advertising. This finding tracks the position adopted by the French data protection authority (the Commission Nationale de l’Informatique et des Libertés (CNIL)) in its formal notices against Vectaury, Fidzup and Teemo, where the companies were considered not to have informed the user in advance of the advertising targeting activities carried out via SDK technology, such information being provided only after the collection of the data.[3]

The judges stressed that users must be made aware as soon as they begin to read privacy notices, of the extent of the collection of their personal data and the “real” purposes of such collection.

Moreover, the data controller cannot explain to consumers that personal data is collected merely as a means of improving the services when the primary purpose is in fact the commercial exploitation of such data for targeted advertising, even if the improvement of services remains part of the purposes for the processing.

  1. Consent can never be presumed

In line with recent decisions released by the CNIL, where consent was a particular new focus[4], the TGI in this case also criticised Google, on several occasions, for presuming that users consented to the processing of their data, rather than proactively obtaining such consent in a lawful manner. In particular they focus on the following data processing:

Geolocation data: It is not sufficient to just inform users of the collection of geolocation data (such as IP addresses). Organisations must instead also provide users with the means of granting consent and refusing the collection of such data. In the present case, Google merely informed the consumers that geolocation data was being collected, without first obtaining the users’ consent or providing information about how such data was processed. The judges also emphasized the data controller’s obligation to inform the users of how they can exercise their right to object to such processing. This case echoes the CNIL’s decisions to issue formal complaint notices (mise en demeure) to several companies at the end of 2018 for failure to obtain consent for geolocation data.[5]

However, the tribunal helpfully did hold that, contrary to UFC Que Choisir’s position, the lack of information as to the precise technologies used to process geolocation data was irrelevant. What is key is just ensuring that users are informed that the processing of this type of data occurs.

Cookies: The Google terms referred to the use of “cookies or similar technologies” to collect personal data when the user accesses Google+ or a third-party site using Google’s advertising services.

Once again, the judges criticized Google for presuming the users’ consent to the collection of their data via such technologies, such presumption being non-compliant with the provisions of the French Data Protection Act. The judges ruled that the existence of a cross-reference to another section of the privacy notice, which explained users’ ability to delete, or prevent the setting of cookies at a later stage, was not sufficient to comply with French laws on consent. Consent must be obtained in advance.[6]

In addition, when the user is informed of their ability to deactivate the collection of data by means of cookies, they must also be clearly informed of the consequences of doing so and in particular of any service malfunctions that may occur. However, the tribunal held that Google’s warning that deactivation could give rise to possible malfunctions of the services was given “for manifestly dissuasive purposes”, and was therefore not compliant.

Combining of data sets: The judges noted that there was a “real presumption of consumer consent” with regards to the combining and cross-referencing of Google’s different data sets. They flagged that users have the right to refuse the combining of their data in this way and the ability to revoke this combining at a later date is insufficient to comply with the French Data Protection Act.

  1. Users’ personal data do not belong to the data controller

The TGI ruled that the conclusion of the contract between Google and the user cannot be made conditional on the user granting Google a licence for all content, including personal data, imported, stored, sent and received by the user. In addition, the TGI ruled that the provision giving Google the right to modify or adapt users’ personal data in order to harmonize such data between different Google services (for example, by replacing “old names associated with your Google Account, so that you are presented in a consistent manner across all our services“) was also not permitted.

  1. Changes in privacy rules may sometimes require a new agreement

The judges readily accepted that privacy policies and terms of use are subject to regular changes. However, a distinction must be made between substantial amendments which significantly change the contract and require a new agreement from the user, and cyclical amendments, which require only a simple notification in real time or in due course. In the present case, the provision which did not make this distinction was declared unlawful and unfair.

Our take

The impact of the TGI’s findings on Google is arguably not significant, mainly due to the limited sanction imposed, the fact that Google had already amended the terms of use and the privacy notice that the TGI were ruling on, the deletion of the Google+ service in April 2019 and, of course, the various CNIL decisions that have been issued in recent months (many of which already covered these points). However, this judgment does still provide some practical guidance on how to draft privacy notices and consumer-facing terms, which companies would be advised to consider.

You will find the long version of our analysis in French here. We will be publishing a more detailed analysis of this case in English in due course.

 

[1] TGI Paris, 7 August 2018, UFC Que Choisir/Twitter.

[2] TGI Paris, 9 April 2019, UFC Que Choisir/Facebook.

[3] CNIL, Decisions No MED 2018-022 (TEEMO) and No MED 2018-023 (FIDZUP) of 25 June 2018, and decision No MED 2018-042 of 30 October 2018 (VECTAURY). It should be noted that these formal notices have been closed since then.

[4] See the CNIL Decision No SAN – 2019-001 of 21 January 2019 imposed a financial penalty against GOOGLE LLC, and our analysis of this decision.

[5] Decision No MED 2018-043 of 8 October 2018 (SINGLESPOT). To be noted that these formal notices have been closed since then.

[6] This is also the position recently adopted by the Advocate General of the Court of Justice of the European Union in his recent opinion delivered on 21 March 2019 in the “Planet49” case. See our analysis of this position.