Recently, we provided a summary and initial analysis of the first major fine under the GDPR, which was issued by the French data protection authority (the CNIL). In a series of three blogs, we will provide further analysis of this landmark decision and its implications. This first part will provide information about the motivation of the penalty and Google's decision to appeal. In the second part of the series, we will consider potential future GDPR fines and draw a link between privacy and competition considerations. In the third part, we will provide practical advice to improve compliance.
As stated in our previous article, the penalty was imposed on Google for failing to provide sufficient information and transparency as required under articles 5, 12 and 13 of the GDPR, and for processing personal data without a valid legal basis, constituting a violation of article 6 GDPR, in the context of creating a Google account when setting up an Android phone. The CNIL’s decision was based on the following reasons.
Too many steps required
The first issue addressed in the CNIL’s decision was that information about Google’s personal data processing was not easily accessible for users. The CNIL found that information was spread across too many different documents, and that too many steps were required to find the relevant information — in particular, where it concerned personalisation of advertisements (5 steps) and geo-tracking (6 steps). Another problem noted by the CNIL was that information about the retention terms of data was placed under the title “Exporting & deleting your information”, which took 4 steps to reach and did not make it sufficiently clear to users that information on standard retention terms was to be found there as well. These issues combined led the CNIL to conclude that there was a general violation of the requirement that the relevant information should be “easily accessible” to users.
Information was not sufficiently specific, considering the very high privacy impact
The CNIL also considered that the nature and scope of the personal data and processing activities at hand are particularly intrusive and massive, as information is continuously collected and processed about users’ habits, tastes, contacts, opinions, and whereabouts. In this situation in particular, the CNIL demanded more clarity from Google about the specific ways in which personal data would be processed, rather than broad and generic descriptions of purposes such as ‘offering personalized services in terms of content and advertising’, ‘safeguarding the security of our products and services’, and to ‘provide and develop our services’. The CNIL concluded that information sufficiently clear and detailed to enable users to substantially assess the impact on their privacy was not available in any of the several documents and layers of information provided by Google.
Essential information and settings were available only after creating an account
Another problem noted by the CNIL was that the “privacy check-up” and “dashboard” tools were only provided after the creation of a Google account, and not before. The CNIL considered the information provided there to be essential to properly inform users at the outset. Furthermore, an active step was required for users to access this information. The CNIL deemed this a violation of the requirements of article 13, which states that information should be provided to the data subject at the time when personal data are obtained. Thus, in accordance with the findings of the CNIL, the privacy check-up and dashboard information and settings should have been actively provided as part of the setup process, rather than made available after completion of the setup process.
Consent was not sufficiently informed, specific, and unambiguous
The CNIL concluded that the user consent obtained by Google did not meet the requisite standard of “informed” per the GDPR, for the same reasons that it found Google to be in violation of the transparency requirements. For one, the CNIL noted that the information provided about ad personalisation did not explain the extent to which data would necessarily be combined across different services provided by Google (such as Google Search, YouTube, Google Home, Google Maps, Play Store, and Google Images). The fact that the box for ad personalisation was pre-ticked by default was also problematic, as it meant that consent was not given by an affirmative action from the data subject. Finally, the CNIL found that the user was asked to provide consent for all processing activities at once, whereas it stated that “consent is “specific” only if it is given distinctly for each purpose”.
As mentioned, Google has already indicated that it will appeal the decision, giving the following statement:
We’ve worked hard to create a GDPR consent process for personalized ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing. We’re also concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond. For all these reasons, we've now decided to appeal.
Such a response was only to be expected. There is plenty at stake here: not only the €50 million fine (which amounts to only about 4.5 hours of turnover for Google), but more importantly, the scope of transparency and consent requirements under the GDPR. The CNIL’s decision reminds us that transparency and consent are foundational elements of the GDPR, and the way these concepts are to be applied will indeed have major consequences for all or most digital services provided in Europe. Moreover, it appears that the decision was intended to signal to the market that data protection authorities in the EU are ready and not afraid to use their substantial enforcement powers. This is likely to provide further incentive for Google to push back.