While the €50m fine may be the most eye-catching part of the French data protection regulator's recent action against Google, the size of the fine will be of little relevance to most organisations. Of greater interest will be the regulator's interpretation of GDPR and the practical implications for organisations.

Background

The action relates to a number of alleged failings in relation to the process for creating a Google Account when configuring an Android device. These complaints essentially related to two issues:

  • whether Google had complied with its obligations under Article 13 of GDPR to provide users with information about how it uses personal data; and
  • where Google relies upon consent as the legal basis for processing, whether Google had obtained valid consent for the purposes of Article 7 of GDPR.

The complaint was submitted on 25 May 2018 - the date that GDPR came into force - by two privacy associations.

While Google's European operations are based in the Republic of Ireland, Google has only recently nominated the Irish Data Protection Commissioner as its lead supervisory authority under the "one-stop shop." The decision that CNIL, the French data protection regulator, would take the lead on the investigation followed discussions between the national supervisory authorities.

What are the key issues?

CNIL concluded that Google is not complying with GDPR:

  • Firstly, in relation to the transparency obligation and the requirement to provide individuals with information about how their personal data will be used
  • Secondly, in relation to the validity of the consents upon which Google sought to rely.

On transparency, CNIL found that Google fell short of what is required under GDPR as the information in question is spread across multiple documents with multiple links, making it difficult to find. Under DPR, this information should be "concise, easily accessible and easy to understand."

CNIL also found that the information itself was neither clear nor comprehensive. In particular:

  • the purposes for which personal data are processed and the categories of personal data being processed are described in terms that are too generic
  • the legal basis for each processing activity is not clear. For example, it is not clear which processing activities rely on consent and which rely upon legitimate interests
  • the retention period is not provided for some data

In relation to consent, issues include:

  • the use of a pre-ticked box for consent to personalised adverts
  • a lack of transparency in the extent of services involved in ad personalisation (eg search, YouTube, Google Maps, Play etc)
  • the bundling of consent in a single tick-box acceptance of the Terms of Service and Privacy Policy

Practical implications

Google has said that it will appeal the decision. If that appeal is unsuccessful then it will need to look at how the account creation process and collection of consents can be reconfigured to ensure that they are compliant going forward. That may have a significant impact on the number of users agreeing to personalised advertising.

While Google is clearly a high profile target for enforcement action, the decision emphasises a number of key issues that are relevant to all organisations:

  • Avoid pre-ticked boxes or making consent a condition of a service
  • ensure that you get specific consent for each individual processing activity that is carried out on the basis of consent, and that there is no "bundling" of consent for different purposes
  • ensure that your privacy notice clearly and concisely explains how data is used, avoiding generalisms and ambiguity

These issues are relevant not just to compliance with GDPR, but also, in relation to the use of cookies and other tracking technologies and electronic marketing, the ePrivacy Directive, which applies the GDPR definition of consent.

Cookies and tracking technologies

For example, many organisations use a cookie consent tool to obtain user consent to the use of cookies. However, these tools often have a simple "accept" button that allows users to accept all cookies used on the site, which appears at odds with CNIL's conclusions on bundled consent - even where users have the option of drilling down for more information if they want it.

These tools are not just limited to tech companies and private sector websites - the Information Commissioner itself uses a cookie control tool, which presents the user with an "I'm fine with this" button. There will also be implications for the adtech sector more generally.

Organisations should also look at how information is presented and consents obtained in mobile apps. If app development is outsourced to a third party, it is important that the app and any registration processes are properly reviewed and tested.

Privacy notices

Finally, on privacy notices, CNIL's decision echoes guidance previously provided by the Article 29 Working Party (subsequently adopted by the European Data Protection Board), but provides more guidance on the need to precisely explain the legal basis for processing.

The decision emphasises the importance of clearly identifying the relevant legal basis for each processing activity, rather than simply including in the privacy notice a list of all the legal bases relied upon by the controller. This makes sense, as without understanding what legal basis applies to each processing activity, the individual cannot properly understand what their rights are in relation to that processing.

The need to ensure that the information provided to individuals is clear, concise and transparent, is also a reminder to ensure that privacy notices, consent and data collection forms are regularly reviewed to ensure that they are accurate and up to date. If you've not already done so, diarise regular reminders to do this.

Contributor

Martin Sloan

Partner