On Monday 21 January 2019, French regulator the National Data Protection Commission (CNIL) imposed a fine of €50m against Google LLC, in accordance with the General Data Protection Regulation (GDPR). This sets a higher bar for compliance, which ought to be observed by others and provides some guidance as to what can be expected from future enforcement actions.

The fine follows an investigation carried out by the CNIL in accordance with Article 58 of the GDPR, as a result of group complaints by non-profit organisations None of Your Business (NOYB) and La Quadrature du Net (LQDN) in May 2018.

In response to the fine, Max Schrems, chairman of NOYB, commented: “Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”

The CNIL imposed the fine for “lack of transparency, inadequate information and lack of valid consent regarding ad personalisation”.

Violation of the obligations of transparency and information

The complaints alleged Google did not clearly state which processing operations relate to each legal basis relied on under Article 6 and 9 of the GDPR, and simply listed four bases for lawful processing.

The CNIL observed that the information provided was not easily accessible for users and not always clear or comprehensive. The structure of the information chosen by Google did not comply with GDPR, and essential information required to sufficiently inform data subjects of storage purposes, periods or categories of personal data used for advert personalisation was spread across various documents, with a number of clicks required to access the full information.

CNIL observed that due to the number of processing operations carried out by Google (about 20), the description of purposes of processing were too generic and vague. CNIL concluded that it was not clear to the user that Google was relying on data subjects’ consent and not the legitimate interest of the company to process data for advert personalisation.

Violation of the obligation to have a legal basis for advert personalisation processing

Google relied on data subjects’ consent to process data for advert personalisation purposes. However, the group complaints alleged that consent was not freely given by data subjects when using Google products and the data subject had to “agree” to the entire privacy policy and terms and conditions to be able to access the product.

CNIL concluded that data subjects’ consent was not sufficiently informed due to the use of multiple documents and the section on ‘Ads Personalisation’ did not clearly depict which services and websites would be involved.

Further, CNIL observed that before creating an account, the user is asked to agree to Google’s terms of service and privacy policy. Any amendments to the permissions granted by the user would have to be made after agreement by going into ‘more options’ and de-selecting advert personalisation. CNIL concluded that this was not “specific, informed and unambiguous” consent in accordance with Article 4(11) of the GDPR.

What can insurers and insureds learn?

It is clear from the CNIL’s decision that claiming to be compliant is not enough and companies need to consider how clear, unambiguous and easily accessible information about data protection is. The CNIL has viewed Google’s data protection from the perspective of the data subject and this is the perspective from which potential risks should be considered.

  • This case emphasises the need for companies to go back and assess current privacy policies, investing further in GDPR compliance where necessary. Privacy is an issue for the customer-facing business to address as a whole and cannot simply be outsourced to IT or external providers.
  • Companies with complex permissions may be at greater risk and need to consider each processing operation individually to ensure it is clearly set out for the customer. The CNIL clearly considered the complexity of Google’s products when making their decision, which implies that there is no one standard across all sizes of companies.
  • There is greater risk for companies with a large number of processing operations with multiple legal bases for processing. Specific, tailored privacy policies may be required and companies should avoid using generic wording or multiple scattered documents, which may be less accessible for the user.
  • Users must be able to freely consent to processing of data and should not feel forced into giving consent. Following agreement to the privacy policy, users should be able to go in and ‘select’ more options rather than the boxes being pre-ticked in the background.
  • Aside from the fine itself, there is a risk that damages may be claimed by individuals or groups of potentially affected data subjects. This may give greater momentum to both regulatory authorities and claimants and now is the time for companies to revisit data protection and reduce risk.