Immediately after the entry into application of the GDPR, the CNIL received several complaints over “forced consent” and unlawful processing.
On May 25, the non-profit European Center for Digital Rights (known as nyob for “none or your business”), founded by Max Schrems, filed four, very similar, complaints over “forced consent” against Google (Android), Instagram, WhatsApp and Facebook, respectively with the CNIL, the DPA (Belgium), the HmbBfDI (Hamburg) and the DSB (Austria). In addition, the Irish Data Protection Commissioner will probably get involved in the cases too, as the headquarters of the relevant companies are in Ireland in three cases.
In France, the complaint filed on behalf of a French data subject, is directed at Google LLC as provider of the Android operating system and challenges the validity of the consent obtained from users of Android-enabled devices, which nyob argues is not “free”.
To support its position that consent has been “forced”, nyob invokes several main arguments:
- The provision of the services are conditional upon consent to the processing of personal data that is actually not necessary to the provision of such services. This type of combined, “take it or leave it” style consent is not freely given.
- Finally, if the user does not consent, the he/she would not be able to use any of the Google services, which could be seen as a serious detriment considering the popularity of such services and the potential loss of a crucial form of social interaction for the user without a smartphone.
The organization also lists a few alternative arguments that the consent is neither informed nor specific, and that there is uncertainty regarding the actual legal basis used by Google who is acting in an unfair, misleading and non-transparent way.
On this basis, nyob requests that the CNIL (or any other supervisory authority that the CNIL may cooperate with) investigate Google’s practices in this respect and that the relevant processing operations be prohibited. In addition, nyob requests that Google be fined, taking into account notably the fact that such practices actually affect millions of users and Google’s behavior (including the fact that it could not ignore the consent requirements). The complaint clearly seeks to make an example of this as it requests Google, a “major player within the data industry (…) be adequately sanctioned to prevent similar violations of the GDPR in the future, and to ensure respect of the data subjects’ rights under the new data protection acquis”.
If the CNIL follows nyob, Google is facing a potential fine of EUR 3.79 billion, corresponding to 4% of the FY17 worldwide revenue of Alphabet Group, of which Google is a member, and Facebook, WhatsApp and Instagram may be sanctioned each to pay 1.3 billion.
However, it must be noted that there is still uncertainty as to how “the total worldwide turnover of the preceding financial year” must be interpreted (either at group level or at the relevant entity’s level). In addition, all the companies who were served, have already started to challenge the actions brought against them.
Hopefully, the supervisory authorities will clarify that.
This complaint is also very interesting in several respects as it will certainly provide additional guidance on how to obtain valid consent and it gives the opportunity to test the consistency mechanism to be implemented by the supervisory authorities in action in a cross-border proceeding, even though it might prove challenging at least for now as the new French data protection law has still not been promulgated yet (currently under Constitutional review), and as a result, the CNIL is not properly equipped to enforce the GDPR and cooperate with its counterparts.
In addition, this complaint resonates with one of the provisions of the new French law on consent validity and contracts, which specifically requires data controllers to be able to demonstrate that the contracts they enter into do not constitute an obstacle to end users’ consent and freedom to access the applications and services of their choice on their electronic devices. For example, electronic device makers, (in the complaint) should not enter into contracts (e.g., Google) forcing them to offer to end users certain services installed by default on the devices, without any other alternative, and collecting personal data to monetize them. In fact, during the legislative process, French senators specifically referred to Android as an example of bad practice…
This complaint, along with the 3 other ones lodged with the DPA, the HmbBfDI and the DSB, are the first of a series of actions, as nyob has already announced that it will file further complaints about the illegal use of user data for advertising purposes or “fictitious consent”.
In the same wave, on May 28, a French association called “La Quadrature du Net” filed five collective complaints grounded on the absence of free and explicit consent since according to the association no services may be accessed if the consent is not given. La Quadrature du Net has already announced its intention to lodge more complaints in the future concerning other digital services.
So stay tuned because there’s more to come!