In a recently published enforcement action against Google, the Dutch Data Protection Authority confirmed its earlier position that combining personal data from various services without the prior unambiguous consent of individuals violates Dutch data protection laws. Google had collected and combined personal data of internet users in order to provide personalised services or display personalised ads. Google breached data protection law by failing to adequately inform users about the combining of their personal data from various sources, and by not obtaining users’ prior consent for such combination. According to the Dutch Data Protection Authority, processing of the personal data in this case cannot be based on other legitimate grounds, for instance legitimate interest, because the combining of personal data has a significant impact on users’ privacy and cannot be foreseen by them.
Companies that collect and process personal data via websites and other platforms and combine these data for user profiling should obtain the user’s unambiguous consent before sharing the user’s personal information between various company services. Individuals must be clearly informed on what personal information is being collected, for which purposes and how it is being combined and used by different services. Companies that fail to comply with data protection requirements may face multi-million euro penalties.
On 15 December 2014, the Dutch Data Protection Authority (DPA) published its decision to impose an incremental penalty on Google, Inc. that could amount to EUR 15 million if Google fails to end violations of the Dutch Data Protection Act before the end of February 2015.
The DPA’s investigation in 2013 had already established that Google had collected and combined the personal data of internet users in order to provide personalised services or display personalised ads. This profiling included not only the personal data of individuals using Google+ accounts, but also on the use by individuals of search engines, video streaming, geolocation services or tracking visits of third party websites that place or read Google cookies. According to the DPA, the personal data had originally been collected and processed for different purposes. The secondary use of those data requires appropriate legal grounds and should not be incompatible with the purpose for which these data were originally collected. Google breached Dutch data protection law by failing to adequately inform its users about combining their personal data from various sources and by failing to obtain their prior consent for such combination.
In 2013, the DPA had come to a similar conclusion in a case against TP Vision. This smart TV manufacturer had used cookies and log files for monitoring viewers’ online behaviour – TV programs watched, websites visited, apps used, etc. – and for subsequently offering personalised ads to its customers. TP Vision violated the Data Protection Act by failing to properly inform viewers of what personal data were collected and for which purpose. It also failed to seek any form of legal and freely given consent from viewers.
The DPA ordered TP Vision to adequately inform viewers in advance about collecting the data and to obtain the viewer’s prior unambiguous consent for the processing of personal data.
The DPA’s decision against Google followed an investigation launched by the Article 29 Working Party in 2012, which found that Google did not comply with the key data protection principles and required Google to modify its practices when combining personal data across services. After this investigation, the DPA, along with five other European data protection authorities, examined Google’s practices for their compliance with national data protection laws. This resulted in a number of enforcement actions against Google throughout Europe. At that point, the DPA only warned Google that its practices violated Dutch law.
Google’s response and proposed measures to ensure compliance did not satisfy the DPA, and it imposed an incremental penalty on Google of EUR 20,000 per violation per day, up to EUR 15 million in total.
Such a high penalty may not be an exception in the near future. When the European General Data Protection Regulation is adopted, supervisory authorities will be able to impose fines of EUR 100 million or 5% of annual worldwide turnover, whichever is higher.
Companies that collect and process the personal data of individuals via websites and other platforms, and combine these data for user profiling should obtain the user’s unambiguous consent before sharing the user’s personal information between various services. Individuals must be clearly informed on what personal information is being collected, for which purposes, and how it is being combined and used by different services.
- Read our previous article on the opinion of the DPA “Google introduces data processing agreement for Google Analytics“(11 November 2013).