It was only a matter of time before we would see the European regulators flex their muscles under the GDPR to impose huge fines on businesses – and to a large degree, it is no surprise that a large tech company has been the first to face a fine of this scale.
On 21 January 2019, Google LLC was fined €50 million by the French data regulator CNIL, for a breach of the EU’s data protection rules, in particular for lack of transparency, inadequate information provided to data subjects/users and lack of valid consent regarding ad personalisation.
On the very day that the GDPR came into effect (25 May 2018) and on 28 May 2018, complaints were made by French interest groups, None of Your Business, which is spearheaded by the Austrian privacy activist Max Schrems (who lead complaints to eventually take down the EU-US Safe Harbour regime), and La Quadrature du Net who together claimed that Google failed to provide a valid legal basis to process user data for ad personalisation, as required by the GDPR.
The GDPR requires that in order for data processing to be lawful, data subjects / service users must to be told in clear and simple terms what personal data of theirs is being processed, why, on what legal basis, who it will be shared with, how long it will be stored etc. These are known as transparency obligations and information notices and come within the requirements of Articles 12, 13 and 14 of the GDPR. We all experienced an overload of these in the run up to 25 May 2018.
The CNIL has said that users were insufficiently informed about how Google collected data relating to the personalisation of advertising, with the French regulator pointing to Google’s failure in relation to two key areas:
1. Inadequate transparency and information – in breach of Arts 12 and 13 – Google does not obtain valid consent to process data because “essential information” such as the data processing purposes, the data storage periods and the categories of personal data are “disseminated across several documents.” For example, it takes 5 or 6 clicks for users to find out how their data is being processed in order to personalise ads. Similarly, the information communicated to users is not sufficiently clear so that they can understand that consent is the legal basis of processing, and not the legitimate interest of the company (Art 6).
The CNIL stated that the processing operations are particularly massive and intrusive because of the number of services offered (about twenty – such as Google search, YouTube, Google home, Google maps, Playstore, Google photo, Google play, Google analytics, Google translation, and Play books), and given the amount and the nature of the data processed and combined.
The judgement criticises the vague and generic nature of the purpose of the processing presented to users which effectively prevents the user from clearly understanding what he/she is signing up to and in this case, what he/she is “voluntarily” agreeing to be subjected to by way of targeted advertisements where data is collected revealing very intimate details of a user’s lifestyle, preferences, contacts, opinions, travels etc.
2. Invalid user consent regarding ads personalisation – Under the GDPR consent must be “freely given, specific, informed and unambiguous.” The CNIL found that Google is in breach of Arts 4 and 6 for two reasons:
- The option to personalise ads is “pre-ticked” when creating an account which does not meet the ‘unambiguous’ threshold, nor does it serve as an “indication of the data subject’s wishes…by a clear affirmative action” as required by the GDPR.
Many smaller businesses will be well aware that pre-ticked boxes are prohibited and a user must undergo a positive action to validly consent. The CNIL was particularly exercised on this issue in the context of ad personalisation.
SIGNIFICANCE OF THE DECISION
The fine marks the first major penalty made under the GDPR against a tech giant. It shows us that the regulators are prepared to apply the GDPR with force using the available fine structure. In this case, the fine category was up to 4% of turnover or €20m, whichever is higher. So while some will argue that the fine is a drop in the ocean for a company with sales of c. $110 billion in 2017, it does show us that the regulators are prepared to apply the upper end of the fine mechanism – enough to leave many businesses quaking in their boots at the thought of a complaint made against them.
Leaving aside the fine, the decision also has the effect of challenging Google’s lucrative business model of processing personal data for micro-targeted advertising. The severity of the fine reflects the CNIL’s view on the severity of the infringements of the essential GDPR principles of transparency, information and consent, and the intrusive nature of the processes being applied across multiple services.
In order to legally process data, a data controller or processor must have a valid legal basis. Consent is one of the permitted legal grounds but not the only one. The threshold for what constitutes valid consent is extremely high and this case highlights the challenges facing businesses that rely on consent for complex processing activities.
Following discussion with other Data Protection Authorities, the CNIL appears to have formed the view that a main establishment in Europe was not established by Google LLC to allow the identification of the lead authority and so, in the absence of lead authority for Google LLC’s European data processing activities, the CNIL’s view was that it was competent to deal with the complaint. The CNIL refers in its decision to recital 36 of the GDPR which states that “the main establishment of a controller in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities determining the main decisions as to the purposes and means of processing through stable arrangements”.
The main take-away on this issue is that companies cannot be complacent on who their lead supervisory authority is, particularly where an assumption is made on this on the basis of where they are headquartered. The CNIL expressly states that the main establishment does not automatically correspond to a data controller’s headquarters in Europe.
Google has stated that it intends to appeal the decision stating on 23 January 2019, “We’ve worked hard to create a GDPR consent process for personalized ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing. We’re also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond. For all these reasons, we’ve now decided to appeal”.