Google fined €50M by the CNIL under the GDPR

image_pdfimage_print

This 21 January 2019, the French data protection supervisory authority (Commission Nationale de l’Informatique et des Libertés – the “CNIL“) fined Google LLC 50 million Euros for breach of the General Data Protection Regulation (the “GDPR“).

In today’s communication (in French), the French authority issued the highest fine against Google LLC since 25 May 2018 considering severe infringements of the GDPR by Google for failing to inform properly the users and collecting valid consent for targeted advertising services.

SCOPE OF THIS DECISION. It is worth noting that this decision is solely based on investigations of the CNIL related to configuration of new Android device for the first time by a user. This particular infringement of the GDPR only relates to the privacy notice displayed to users when they create an account and when logging into their new Android phone. However, the full complaint has not yet been examined by the CNIL and goes far beyond that. The complete case is much broader and related to targeted advertising on Youtube, Gmail and Google Search platforms. The CNIL will have to examine how Google may have or not “forced” users to consent to sharing their personal data via Google targeted ads services. So we can expect to hear more from the CNIL in the upcoming months in this case. This is probably only the beginning of a long series for 2019. The two organizations also filed (as explained below) similar complaints against other GAFAM in several jurisdictions.

________________________________

FINDINGS OF THE CNIL

The CNIL considered that Google did not comply with the GDPR for three main reasons: (1) lack of transparency (art. 5 GDPR); (2) insufficient information (art. 12 and 13 GDPR); and (3) invalid consent collection (art. 7 GDPR).  The two complaints were brought by Max Schrems’ non-profit organization called “None Of Your Business” (NOYB) and the association La Quadrature du Net, a French association that regrouped complaints from 9’974 individuals. Those two organizations claimed that Google’ services, including the targeted advertising services on Android OS, did not comply with its obligation to process personal data with the proper legal basis (art. 6 GDPR), forcing users to share massive amount of personal data and therefore compromising their privacy without their consent.

Those complaints have just been confirmed by the CNIL in today’s findings. After that, it is interesting to read on the blog of NOYB, that Google will move its EU headquarters to Ireland with effect to 22 January 2019, with the Irish DPA (Data Protection Authority) as the lead authority.

The French authority adds some interesting considerations to its findings. The CNIL explains that with Google current services, due to the way the data are collected, the volume that can be processed and the type of data collected through those services, it can result in revealing entire parts of someone’s life, which becomes very intrusive. The CNIL also considered the fact that Google’s business model is partially based on those intrusive services.

Finally, the CNIL explains that, essentially, despite Google’s efforts to change its processes, Google is still not compliant. This also means that as long as Google remains non compliant, it may face other complaints and, potentially other fines unless the way Google processes data about individuals changes drastically.

________________________________

HISTORY OF THE CASE

Two massive complaints on 25 and 28 May 2018 for € 7,6 bn

25 May 2018. Max Schrems – the Austrian privacy advocate who provoked the cancellation of the Safe Harbor framework by the European Court of Justice (see judgement here) – founded a not profit organization called “None Of Your Business” (NOYB) to support consumers and data subjects in filing complaints against companies and to authorities to enforce and protect their privacy. Just the day the GDPR became enforceable on 25 May 2018,  Max Schrems sued Instagram (Belgium), WhatsApp (Hamburg, Facebook (Austria) and Android (France) with a massive complaint amounting to € 7,6 bn via its NGO for infringement of the GDPR. Find more details on NOYB’s website here.

28 May 2018. The French Digital Rights Group “La Quadrature du Net” lodged a complaint on 28 May 2018 against Google, Apple, Facebook, Amazon and LinkedIn in front of the CNIL on the behalf of 12,000 individuals for illegal processing of personal data.

The CNIL’s sanction of € 50 millions issued today is only one sanction against one company – Google LLC – and in one juridiction. There is most likely other sanctions to come if other authorities follow the CNIL’s argumentations and considerations.

In terms of procedure, Google can appeal to this sanction and contest the fine (edit 24-janv-2019), which the company announced publicly. Even if the fine remains low compared to the €4bn it can incur in the event of a maximum fine, the amount is high for this case. In its public statement, Google said:

We´ve worked hard to create a GDPR consent process for personalised ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing

By appealing against this decision, Google wants initiates the process of a precedent in interpreting the GDPR’s requirements on information, transparency and how to validly obtain consent, particularly in the area of targeted advertising.

Google’s appeal is therefore highly strategic. Not contesting this fine would create room for potential more severe sanctions, especially as the scope of the case is limited. In addition, it could be seen as an indirect acknowledgment of responsibility for using non-compliant practices.

Finally, Google defends itself by arguing that it has worked hard to set up data collection in order to respect transparency, but also said:

We´re also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond

We will see if his work has been sufficient or not and how strong this EU Regulation can effectively be in practice.

________________________________

THE CASE IN MORE DETAILS

To get into more details, the CNIL provides the following explanations to justify the sanction against Google:

  • Breach of transparency: the transparency principle refers to how you inform individuals about the processing activities. This usually takes the form of privacy notices. This information is supposed to remain concise, clear, accessible, unambiguous and intelligible by any person.

This was not really the case. Google spread all that information in many separate places through links and buttons which made it very difficult to access, understand and takes ages. At the end, all that information was only accessible after 5 or 6 actions, in any case after several steps to know what data are collected about the individual. The information was not clear enough, vague and described in a too generic way. That means that if nobody takes the time to read that information (why would Google collect your data for what purpose, for how long, what categories of data are used for the targeted advertising, etc.), the obligation of having a clear and easily accessible notice is not achieved. Also, Google failed to inform about the retention period of certain personal data (for how long will Google keep that data).

  • Invalid consent: Google requested the consent of the users to collect the personal data. However, the CNIL considered that this legal basis was not valid for the options of customized advertising for the two following main reasons:

The consent was not informed. This means that users do not understand the scope of use of the data. For example, in the “customized publicity” section, it is not possible to see how many services, sites and applications are related to the processing and there is no information about the volume of personal data that those services will process and combine.

The consent was not specific, nor unambiguous despite the fact that users may have the ability to select several parameters. According to article 7 of the GDPR:

request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language

With Google targeted advertising services and options, the users could only access those parameters by clicking “more options”. Also, the option to use “targeted advertising” was already pre-ticked, which forces the user to turn it off. So the option will remain active, if the user does nothing, unless there is an active action from the user to disable the option. Therefore, using pre-ticked boxes is contrary to the principle of privacy by default (art. 25 GDPR), which requires to turn off any settings or parameters by default to apply a maximum protection of privacy to the user. It is only up to the user to decide whether he or she wishes to increase the level of intrusiveness to his or her privacy and agree to share any personal data. Finally, Google only provided one box for the users to click which appeared like this:

“I accept Google’s terms and conditions” and “I accept that my data are used as described above and as detailed in the privacy policy”

Such bundled consent, which is not specific and do not provide any details for each purpose is not compliant with the requirements as set out in the GDPR.  Where several purposes for processing personal data exist, users must have the ability to only consent to those purposes that they wish. Having all the purposes all-in-one, does not work under the GDPR.

________________________________

ARE THOSE REQUIREMENTS NEW UNDER THE GDPR?

Yes and no.

Yes, the requirements to collect a valid consent has been extensively strengthened. It not as easy as before to collect a valid consent and as this case demonstrates, there are individuals and authorities out there that can have a word and ultimately impose fines to your organization.

No,  the principles of consent, collecting personal data with a valid legal basis and informing the individuals via privacy notice, are not new from an EU data protection legislation. The obligation to process personal data with a lawful ground already existed under Directive 95/46/EC and also applies under the Swiss Federal Data Protection Act (DPA), as probably in most of the jurisdiction that have adopted comprehensive data protection framework. A company responsible for collecting and processing personal data has to justify a valid legal reason. As a reminder, the GDPR offers 6 different legal bases to justify the processing of personal data (article 6 GDPR), which are:

  • consent;
  • performance of a contract;
  • compliance with a legal obligation;
  • protect the vital interests of natural persons;
  • performance of a task carried out in the public interest or in the exercise of official authority; and
  • legitimate interest.

Each of those legal bases have their pros and cons, but where you use the consent, you should remain careful to collect it lawfully, unless the processing becomes illegal. With the GDPR, the consent has become much more difficult to obtain. In particular, you need to inform and explain who shall consent, what you will do with that data, for what reasons and based on what legal basis you process the data, with whom you will share them. And this shall apply for each purpose. If those conditions are not, the consent is not valid illicit and you cannot process the personal data.

And this is what happened to Google LLC in the case of targeted advertising, for this first part of the story.

________________________________

By Gabriel Avigdor | ICT.ch 

Digital Lawyer