On 21 January 2019, the French Data Protection Authority, the Commission nationale de l'informatique et des libertés (the “CNIL”) imposed a financial penalty of €50 million on Google LLC (“Google”) for a number of breaches of the General Data Protection Regulation (the “GDPR”). The CNIL found Google guilty of two breaches of the GDPR. Firstly, Google violated the principle of “lawfulness, fairness and transparency” and secondly, Google violated the requirement to have a “lawful basis for processing” when sending personalised ads.
Breach 1: Lack of Transparency
The CNIL found that Google’s fair processing information was lacking in both detail and clarity. The CNIL identified that essential information, such as: the data processing purposes, the data storage periods and the categories of personal data used for the personalisation of ads is excessively disseminated across several documents, meaning it is only possible to view relevant information after 5 or 6 click through actions. Such a process is at odds with the “transparency” principle of article 5.1(a) of the GDPR and has the effect of preventing service users from fully understanding the extent of the processing operations carried out by Google.
Breach 2: Lack of valid consent
Under article 7 of the GDPR consent is valid only where this is unambiguous and involves a clear affirmative action i.e. an opt in. In addition, distinct consent options must be given where there are a number of processing operations undertaken. The CNIL found that Google failed to adhere to these requirements for valid consent in two ways. Firstly, as information on the ads personalisation process is spread across several documents it does not enable the user to fully understand the extent of such processing and, as such, users are not sufficiently informed of the processing operations undertaken. Secondly, users were not able to provide specific or unambiguous consent because users are asked to tick a box providing a general consent to Google’s terms of service and processing of their user information. Given users are not able to opt in or out of one or more processing operations but instead are required to provide a blanket consent to Google’s processing operations, the CNIL found this is not GDPR complaint consent.
It is particularly interesting that the investigation came in response to two group complaints one of which was received on 25 May 2018 (i.e. GDPR day). In the lead up to the GDPR the difficulties the digital advertising sector would face were much publicised and debated; this investigation demonstrates an immediate challenge on the compliance one of the largest players in the sector and highlights the ongoing difficulties of achieving compliance. The CNIL noted the level of penalty was such because the breaches of the GDPR set out above were continuous and still observed at the date of the publication of its findings. Importantly, this investigation shows that the relevant data protection authorities are prepared to use their new GDPR powers, this is especially challenging for the digital advertising sector given the likelihood that a number would likely suffer the same fate, were they to be investigated.