Co-authored by Aurore Palmisano
On 21 January 2019, the CNIL, the French data protection authority ordered Google to pay a fine of €50 million based on a violation of the General Data Protection Regulation (GDPR). This constitutes the largest fine reported to have been imposed under GDPR since it entered into force on 25 May 2018.
In May 2018, two consumer privacy rights organisations filed a collective action before the CNIL against Google. According to them, the American search engine did not have a valid legal basis to process the personal data of the users of its services and did not satisfy GDPR's requirements regarding transparency, information and valid consent. The complaints were mostly associated with Google's ad personalisation services.
The CNIL's restricted committee considered that Google violated the obligations of transparency and information enshrined in GDPR. It found that essential information such as processing purposes, retention periods, and categories of personal data used for purposes of personalised advertising were diluted among too many documents and needed too many steps to be reached, making them not easily accessible enough for users. It was also found that the information which was provided was not always clear and understandable and that users were then unable to fully understand the implications of the processing of their personal data.
The French regulator further held that Google did not fulfill its obligation to have a legal basis for data processing in the form of ads personalisation processing. The CNIL concluded that Google failed to obtain its users' adequate consent for three main reasons.
First, the users were not sufficiently informed to validly consent to the processing of their personal data. The information regarding this processing was disseminated in multiple documents and the display of the ads personalisation option did not clearly explain which services, applications and websites would be involved in the processing of the data, which made users unable to be aware of its extent.
Secondly, the consents obtained by Google were neither "specific" nor "unambiguous" with regards to GDPR. It is true that the users could modify a few options when configuring their Google account. However, the box allowing the processing of data regarding ads personalisation was pre-selected, so that contrary to the requirements of GDPR, the users did not consent with a clear affirmative action and, consequently, did not give an "unambiguous" consent.
Thirdly, in order to have access to their Google account, the users had to agree to Google's terms and conditions and to the processing of their private information prior to being able to make any changes to the configuration of the ads customisation options. The CNIL considered that by doing so, Google did not enable the users to accept distinctly each purpose of the data processing and therefore did not allow them to give a "specific" consent.
This decision constitutes the first major reported case of data protection breach analysed by a national data protection authority under the GDPR regime. It highlights the need for businesses which collect personal data to improve the accessibility, ease of understanding and the clarity of their policies towards users as well as their standards of transparency and control in the context of the gathering of consent. It also underlines the heightened potential consequences of a breach of data protection law following the entry into force of GDPR.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.