Recently, we provided a summary and initial analysis of the first major fine under the GDPR, which was issued by the French data protection authority (the CNIL). In a series of three blogs, we provide further analysis of this landmark decision and its implications. In the first part, we provided information about the motivation of the penalty and Google’s decision to appeal. In this second part of the series, we will consider potential future GDPR fines and draw a link between privacy and competition considerations. In the third part, we will provide practical advice to improve compliance.
As stated in our previous article, the penalty was imposed on Google for failing to provide sufficient information and transparency as required under articles 5, 12 and 13 of the GDPR, and for processing personal data without a valid legal basis, constituting a violation of article 6 GDPR, in the context of creating a Google account when setting up an Android phone.
Considering what’s at stake, it is understandable that Google and others will keep trying to minimise what is required of them. While it may seem trivial to some, an issue such as whether pre-ticking a checkbox for ad personalisation is permissible or not can have significant consequences. This is because users tend not to change default settings, and in general, personalised ads attract considerably greater revenue than non-personalised ads. Furthermore, it will require more resources to provide more complete and accurate information, which is continuously kept up-to-date (particularly challenging in the fast-changing world of technology) and provided at the right time and in the right way. It seems likely, however, that tech companies across the board will have to step up their privacy game substantially or risk serious fines. At a maximum of 4% of global turnover, these could be far higher than the CNIL’s €50 million opening salvo.
Google probably wouldn’t be wrong if it claimed on appeal that it already provides data subjects with more information and choices about how their personal data will be used than some others. However, it could prove difficult to convince a judge that the CNIL was wrong to demand a particularly high level of transparency from Google, given how much information Google processes about almost everybody. Your ongoing smartphone usage enables Google to continuously process an enormous amount of data about you: your exact whereabouts over time; every search you type into your browser; all the names, numbers and other contact details of (nearly) everybody you know; and all your calendar appointments, including the details as to where and with whom. Do you know what you were doing and where you were at 16:15 on September 4th, 2018? You may not remember, but chances are that Google has the exact data. It doesn’t seem like an exaggeration to say that these services and apps probably know you better than you know yourself.
Weighing all factors, it doesn’t seem difficult to argue that a company which may know you better than you know yourself, and which is making (nearly all of) its billions of euros of annual turnover by helping other companies sell you things, can and should be held to a high standard of transparency about how its vast data troves about you may be used. It still remains unclear, for instance, if switching off Google’s ad personalisation setting will delete your existing ad profile completely. Another possibility could be that the profile is retained, and perhaps even fed with new data, but this data merely is no longer used to show personalised ads. This point was not mentioned by the CNIL, but it appears that it potentially could (or even should) have been.
If Google has indeed done as much or even more than others to comply with the GDPR, this may be further indication that more fines can be expected soon. In this respect, it is worth noting that NOYB — one of the associations that filed the collective complaint against Google that ultimately resulted in the penalty — also filed complaints against Facebook, Amazon, LinkedIn, and several other companies.
Another interesting development in this sphere is that Germany’s competition authority recently decided (on February 7th) that Facebook abused its market power by combining user data collected from the Facebook website and app with user data collected through “like” and “share” buttons found on many external websites. A novelty in this case is that privacy considerations have helped shape the assessment under competition law about which forms behaviour should be considered as abusive (in this case: combining data from several sources).
Such interplay between the competition and privacy spheres may also be possible in the opposite direction, as competition considerations could help to shape assessment under privacy law as well. For example, the fact that a given provider is dominant within its market may imply the risk that consent won’t be deemed freely given, because the alternative (i.e. not using its services) is arguably too detrimental. So-called “network effects” can also play a role here — for instance, it is difficult to avoid Facebook if all your friends are on Facebook. Further consequences of a provider being dominant are that the amount of personal data processed will usually be far higher and there will be far more data to potentially combine across different sources. As a result, the insight that such a company may have into individuals’ (private) activities and personal characteristics can be far more comprehensive and intrusive. Here is an interesting read about an experiment to try to avoid any personal data processing by Google. Spoiler alert: it’s nearly impossible.
Read our next blog for practical advice to improve GDPR compliance!