CNIL, the French Data Protection Authority has imposed the highest fine for breach of European data protection law to date, relating to onboarding, transparency and consents on a digital platform.
In an action arising out of a complaint on behalf of 12,000 people, including Max Schrems of the 2015 action against Facebook, the CNIL found that:
- Google does not give users enough information about how they process personal data collected from its Android software.
- Google asked for a single ‘bundled’ consent from new users of such services rather than asking for specific consent to each processing activity (speech recognition, ads personalisation etc.).
As a result, Google was unlawfully processing data.
The fine is shy of the maximum under GDPR (a fine of 4% of worldwide turnover would have resulted in a much higher figure) but it is a significant increase from the pre-GDPR data privacy regime.
Where Google failed to comply
Lack of transparency – too many documents and screens
The regulator found that GDPR mandated information about privacy is “located across several documents, with buttons and links on which it is required to click to access complementary information”. According to the regulator, excessive action is needed “when a user wants to have a complete information on his or her data collected”. This is particularly significant because the nature of some of the processing being conducted, such as that for ad personalisation purposes and geo-tracking, is not clear to users.
Bundled consent is not specific nor unambiguous
The user is asked to tick the boxes “I agree to Google’s Terms of Service” and “I agree to the processing of my information as described above and further explained in the Privacy Policy” to create a Google account on Android. This means that consent is given to all processing described in the Privacy Policy, not to each processing activity individually. Consent is therefore not specific as required by GDPR.
While the regulator admitted that the user can modify their options to choose more specific consents, the process was still not unambiguous as required by GDPR. In particular, there is no “clear affirmative action”: the option to modify consent was hidden behind a “more options” button, and the consent to ad personalisation was pre-ticked.
Comment
The fine was announced on 21 January 2019, which means it is too early to understand fully the consequences, but privacy professionals will be keen to consider the early implications.
Fines are going up – are the gloves now off?
The claim was initially filed on the day GDPR came into effect, 25 May 2018. Many of the breaches, for example pre-ticked boxes, are well known “no-nos” under GDPR and relate to some of the more detailed points of implementing GDPR compliance in digital platforms: in theory Google should be able to fix them through iteration of its software. What’s odd is that the enforcement notice states that these breaches are still being observed so it is unclear whether Google is just late to the game or is taking a stance. In any event, this judgment signals an intent by the CNIL to regulate the detail of GDPR seriously and not to just focus on data breaches.
Will it give rise to class action lawsuits?
Some have predicted that GDPR may give rise to a claims industry against large scale data processors. This is a controversial prediction and privacy professionals will be watching this case to see what happens next. Notably, this case was instigated by consumer associations on behalf of over 12,000 people. It will be interesting to see whether those claimants also make personal financial claims (in the style of a “class action”) against Google off the back of this finding.
Will Google do better in Ireland?
Google’s services were provided by Google LLC, a US entity, and not its European subsidiary headquartered in Ireland. This means that the French regulator, as the authority which received the complaint, was able to take the lead in the investigation. As of 22 January 2019, Google will move the provision of services in Europe from the US to its Irish subsidiary. The investigation of future complaints about Google’s processing will be led by the Irish regulator. Pre-GDPR, the Irish regulator was sometimes seen as having a lighter touch. It’s also likely that Google wants to better geo-fence its services to avoid the extra-territorial effect of GDPR complicating their operations outside the EU. Will a more local, less Silicon Valley-centric, approach deliver a better reputation for data privacy compliance?