On 21 January 2019, France's data protection watchdog, the National Data Protection Commission ('CNIL'), has imposed a record fine of fifty million (50,000,000) euros against Google LLC based on perceived infringements of the EU General Data Protection Regulation ('GDPR').
In brief, the fine was imposed on Google for the latter's lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.
Essential Information not Provided in a Lawful Manner
One of the main violations highlighted by France's CNIL was the fact that information provided by Google was not easily accessible (one of the requirements under the GDPR). The CNIL noted that certain essential information such as the purpose(s) of the processing of personal data, the data storage periods and even the categories of personal data used for ads personalization were disseminated across several documents requiring the user to click several buttons and links to be able to access this essential information.
The CNIL also observed that the information itself was not always clear or even comprehensive making it difficult or impossible for users to understand the content. This goes against the transparency principle enshrined in the GDPR which requires all essential information to be communicated in a concise, transparent, intelligible and easily accessible manner using clear and plain language.
Consent not Validly Obtained
Apart from lack of transparency, the CNIL also found that Google did not validly obtain the consent of its users to be able to process personal data for ads personalization purposes (despite the fact that Google itself had stated that it was relying on such consent as the legal basis for doing so).
Consent was deemed invalid on the basis of two main points:
1. Consent was not sufficiently 'informed', one of the essential requirements for valid consent together with it being 'unambiguous' (or in the case of special categories of personal data, explicit), 'freely given' and 'specific';
2. Consent was not 'specific' and 'unambiguous' (meaning that it was not clear what users were specifically consenting to).
Therefore, the ways in which users were presented with privacy-related information and the ways in which users were asked to manifest their consent were found to infringe the GDPR.
In imposing the record fine, the CNIL noted, inter alia, that this was not a 'one-off' by Google but rather, a continuous breach of the GDPR.
Maltese businesses should take note of this because the rules discussed above (mainly those enshrined in Articles 12, 13 and 14, GDPR) apply in a similar manner to them as well.
More information on this record fine can obtained by visiting the CNIL's website: https://www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-llc