On Monday, France’s data protection authority (CNIL), levied the largest fine to date arising from violations of the European General Data Protection Regulation (GDPR) by fining Google 50 million euros (more than $56 million) for Google’s lack of transparency, inadequate information, and lack of valid consent regarding advertisement (ads) personalization
The GDPR, which went into effect last May, provides individuals in Europe (which the GDPR labels “data subjects”) with certain protections concerning their personal information (“personal data”). The regulation requires transparency in processing of personal data and in certain cases requires advance consent from the data subjects.
CNIL based its fine of Google on two violations:
- A violation of the obligations of transparency and information.
- A violation of the obligation to have a legal basis for ads personalization processing.
Violation of the obligations of transparency and information
CNIL stated that the “general structure of the information chosen by the company” did not comply with the GDPR. Essential information, including the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization were not easily accessible, requiring the user to take several steps and view several documents to locate the information. The CNIL also found that the information provided by Google was not always clear or comprehensive, consequently failing to inform users of the extent of Google’s processing activities.
Violation of the obligation to have a legal basis for ads personalization processing
Under the GDPR, an entity processing personal data must have a legal basis such as consent for such processing. CNIL determined that the consent obtained by Google did not provide a legal basis for ads personalization processing because it did not meet the GDPR requirements for consent:
- It was not “sufficiently informed”.
- It was not specific or unambiguous.
Like the transparency violation, CNIL found Google’s structuring of the consent process for the ads personalization processing to be diluted because it flowed through several different documents, hindering a user from discovering the full extent of the consent being given. CNIL found that “in the section ‘Ads Personalization’, it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, You Tube, Google home, Google maps, Playstore, Google pictures . . .) and therefore of the amount of data processed and combined.”
Second, CNIL found that the method provided by Google to allow users to configure their account options did not comply with the intent of GDPR. CNIL cited as evidence that the display of the ads personalization option was already pre-selected for users. CNIL elaborated that under the GDPR, consent is “unambiguous” only when given by a clear affirmative action of the user, which in this case would be allowing the user to make their own selection rather than confronting a pre-ticked box.
In addition, CNIL found that when a user creates an account, a user must check boxes stating, “I agree to Google’s Terms of Service” and “I agree to the processing of my information as described above and further explained in the Privacy Policy”. CNIL found that these consents violated the GDPR because they purported to provide a generalized and comprehensive consent for all of the processing operations carried out by Google, instead of for a specific purpose, as contemplated by the GDPR.
Conclusion
Businesses should use this first large GDPR fine as an opportunity to reevaluate their exposure to GDPR, keeping in mind that whether a business has a physical location in Europe is not determinative of whether the GDPR’s requirements apply to that business. Importantly, a reevaluation of how a business currently obtains consent to process personal data subject to the GDPR may be necessary.
