Note: This article is presented as the author’s opinion and not as legal advice. Development of a GDPR response plan is outside the scope of any article and should be made with guidance from your legal counsel.
With the French Data Protection Authority (CNIL) disclosing on January 21st a 50 million euro fine against Google LLC, we now have a precedent against which to evaluate the impact and reach of GDPR enforcement. This is significant as, with this precedent, we can determine some of the factors a Data Protection Authority (DPA) will use in assessing the extent of a given violation.
Nature and jurisdiction of the complaint
The complaint against Google LLC was brought to the CNIL by two independent non-profit privacy groups. The CNIL began its investigation in response to concerns raised over terms of service and data used to target ads imposed by Google on services present in the Android operating system. The first phase of the process required that jurisdictional authority be established. As Google LLC operates its European headquarters in the EU from Dublin, Ireland, the GDPR provision for “one stop shop” processing of GDPR complaints should apply, indicating that the CNIL should defer to its counterpart in Ireland. However, it was determined that while Google Ireland Limited operated as a financial base of operations for Google in the EU, it did not have decision-making power over data processing operations carried out during initial configuration of an Android mobile device, nor did it have an appointed Data Protection Officer. This meant the complaint could proceed within the CNIL’s purview, and that provisions in the French Data Protection Act as amended under Law 2018-493 could apply.
Distilling the violations
Google is well known as a provider of multiple online services, all accessible from a single account. In many cases, these services have become ubiquitous to modern life – such as Google Search, Maps, Gmail and YouTube. The CNIL found that Google lacked transparency around the purpose of data collection, including clear data retention policies, and that relevant information disclosures were often unclear, generic or superficial.
Importantly, the data processing performed by Google in delivering targeted ads required valid user consent. The CNIL found that user consent to data processing was not validly obtained, in part because it was not freely given. Disclosures relating to processing operations were distributed in various locations and related to activities performed across the suite of solutions Google delivers. This lack of clarity was compounded through the use of “opt-out” defaults and blanket “I agree to …” check boxes effectively granting broad license to Google – despite GDPR requiring consent be specific for each processing purpose.
While Google LLC argued Android users had an option to forego registering their Google account when configuring Android, the CNIL observed that this option was far from obvious. Additionally, users attempting to forego registering or using a Google account were warned that device functionality would be reduced without use of a valid Google account.
Impact of ruling on Google operations
The public impact of this ruling on Google’s European operations began in on December 12, 2018. Anne Rooney the public policy manager for Google Ireland, announced in blog form changes in Google’s service model for users in the European Economic Area and Switzerland. These changes took effect January 22nd and are in direct response to the jurisdictional issues encountered in addressing this complaint.
On January 21, 2019, the CNIL published its ruling, including a fine for €50 million.
While Google has now been sanctioned under GDPR for failures in properly obtaining consent, in the December 12 blog post announcing changes in its service model, Google also affirmed that “It’s important to note these changes do not in any way alter how our products work or how we collect or process user data within our services.” This would imply that Google will continue operating as it has done – independent of the determination of the CNIL. I would hope that Google would take this ruling and apply its observations to become more transparent in how it collects and processes user data when delivering its services.
Key lessons from this ruling
This precedent-setting case provides some clear lessons, particularly if your organisation is based outside of the European Union and might have deferred GDPR compliance efforts.
- Ensure you have a clear location for your EU operations. As Google experienced, failing to have a clear place of business and DPO could require processing of GDPR complaints from jurisdictions with both different spoken languages and additional privacy regulations.
- User consent granted prior to May 25, 2018 may need to be amended to comply with GDPR requirements
- Use of “opt-out” default settings for data collection or processing consent decisions may not comply with GDPR requirements for unambiguous consent
- Use of blanket “I agree to the terms …” only complies with the GDPR specificity requirements when applied to a specific data processing operation – not an entire service
- When determining sanctions and fines, regulators will consider both the degree users are impacted by the infraction and the duration the infraction existed. Proactively addressing issues prior to regulator involvement may mitigate fines
This is the first major fine under GDPR, but it will hardly be the last. With each new ruling, we gain insight into how regulators view data privacy and the balance we as a society seek to strike between data-driven services and personal privacy. Modern society is a data-driven one, but we needn’t give up our individual privacy to reap these benefits. As business leaders we owe it to our users to learn from these rulings while clearly communicating how user data enables the rich experiences we can deliver.
The full text of the deliberation can be found on Legifrance under SAN-2019-001.
By Tim Mackey, Technical Evangelist, Synopsys
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/