While the €50m fine may be the most eye-catching part of the French data protection regulator's recent action against Google, the size of the fine will be of little relevance to most organisations. Of greater interest will be the regulator's interpretation of GDPR and the practical implications for organisations.
The action relates to a number of alleged failings in relation to the process for creating a Google Account when configuring an Android device. These complaints essentially related to two issues:
- whether Google had complied with its obligations under Article 13 of GDPR to provide users with information about how it uses personal data; and
- where Google relies upon consent as the legal basis for processing, whether Google had obtained valid consent for the purposes of Article 7 of GDPR.
The complaint was submitted on 25 May 2018 - the date that GDPR came into force - by two privacy associations.
While Google's European operations are based in the Republic of Ireland, Google has only recently nominated the Irish Data Protection Commissioner as its lead supervisory authority under the "one-stop shop." The decision that CNIL, the French data protection regulator, would take the lead on the investigation followed discussions between the national supervisory authorities.
What are the key issues?
CNIL concluded that Google is not complying with GDPR:
- Firstly, in relation to the transparency obligation and the requirement to provide individuals with information about how their personal data will be used
- Secondly, in relation to the validity of the consents upon which Google sought to rely.
On transparency, CNIL found that Google fell short of what is required under GDPR as the information in question is spread across multiple documents with multiple links, making it difficult to find. Under DPR, this information should be "concise, easily accessible and easy to understand."
CNIL also found that the information itself was neither clear nor comprehensive. In particular:
- the purposes for which personal data are processed and the categories of personal data being processed are described in terms that are too generic
- the legal basis for each processing activity is not clear. For example, it is not clear which processing activities rely on consent and which rely upon legitimate interests
- the retention period is not provided for some data
In relation to consent, issues include:
- the use of a pre-ticked box for consent to personalised adverts
- a lack of transparency in the extent of services involved in ad personalisation (eg search, YouTube, Google Maps, Play etc)
Google has said that it will appeal the decision. If that appeal is unsuccessful then it will need to look at how the account creation process and collection of consents can be reconfigured to ensure that they are compliant going forward. That may have a significant impact on the number of users agreeing to personalised advertising.
While Google is clearly a high profile target for enforcement action, the decision emphasises a number of key issues that are relevant to all organisations:
- Avoid pre-ticked boxes or making consent a condition of a service
- ensure that you get specific consent for each individual processing activity that is carried out on the basis of consent, and that there is no "bundling" of consent for different purposes
- ensure that your privacy notice clearly and concisely explains how data is used, avoiding generalisms and ambiguity
Cookies and tracking technologies
These tools are not just limited to tech companies and private sector websites - the Information Commissioner itself uses a cookie control tool, which presents the user with an "I'm fine with this" button. There will also be implications for the adtech sector more generally.
Organisations should also look at how information is presented and consents obtained in mobile apps. If app development is outsourced to a third party, it is important that the app and any registration processes are properly reviewed and tested.
Finally, on privacy notices, CNIL's decision echoes guidance previously provided by the Article 29 Working Party (subsequently adopted by the European Data Protection Board), but provides more guidance on the need to precisely explain the legal basis for processing.
The decision emphasises the importance of clearly identifying the relevant legal basis for each processing activity, rather than simply including in the privacy notice a list of all the legal bases relied upon by the controller. This makes sense, as without understanding what legal basis applies to each processing activity, the individual cannot properly understand what their rights are in relation to that processing.
The need to ensure that the information provided to individuals is clear, concise and transparent, is also a reminder to ensure that privacy notices, consent and data collection forms are regularly reviewed to ensure that they are accurate and up to date. If you've not already done so, diarise regular reminders to do this.