On 21 January 2019, the French Data Protection Authority’s (the “CNIL” ) restricted committee imposed a record fine of 50 million euros to Google LLC (“Google”). The main ground for its decision was non-compliance with the General Data Protection Regulation (“GDPR”) for lack of transparency, inadequate information and lack of valid consent regarding ads personalization.
This penalty is based on group complaints made on May 25, 2018 by the two NGOs None Of Your Business (“NYOB”)and La quadrature du net (“LQFD”).
Non-compliance of Google with the GDPR
The CNIL immediately investigated the complaints. The scope of the investigation was the processing of personal data by Android as governed by the privacy policy made available to the user when creating an account to configure their mobile equipment.
The CNIL evidenced that Google breached two key data protection principles under the GDPR:
– Obligation of transparency and information; and
– Lawfulness of processing.
Breach of transparency and information requirements under the GDPR
First of all, information: it is disseminated, fragmented between several documents, or sometimes accessible only after 5 to 6 steps (clicking buttons, following links, etc.) are taken by the user.
In addition, the CNIL noted that relevant information is not conveyed to users in a clear and understandable way. The CNIL also qualified Google’s data processing activities as “massive and intrusive” in view of the number of services offered (about twenty), the amount and the nature of the data processed. This imposed an even greater obligation on Google to provide a full and clear understanding on their data processing activities. As an example, the description of the processing purposes is far too generic, eg. “improve the services we provide to our users”.
In the same way, Google failed to provide clear information on the legal basis and the retention period of the personal data it processes for provided personalised advertising.
Breach of the obligation to have a legal basis for ads personalization processing
GOOGLE argued that it relied on users’ consent as the legal basis for ads personalisation purposes. However, the CNIL decided that the such consent was not validly obtained for two reasons.
– the users’ consent is not sufficiently informed; and
– consent is neither “specific”, nor “unambiguous”.
The information on data processing for ads personalization is spread across several documents, which makes users’ awareness very difficult. In addition, customized features are selected by default (pre-ticked boxes), which does not demonstrate an unambiguous consent. Finally, the CNIL notes that the user has to agree to his/her data processing without any granularity between the various services and purposes: the consent is thus not “specific”, as required in the GDPR.
The record fine imposed by the CNIL
The CNIL imposed a financial penalty of 50 Million euros against Google, which is based on the highest threshold under the GDPR but is far from the maximum penalty which could have been imposed[1].
The CNIL made this decision, based on the fact that Google committed a violation of two basic principles for processing: transparency and lawfulness. The CNIL also pointed that collection of personal data was massive and intrusive, and that the breaches of GDPR were continuous.
Last but not least, the CNIL took into account the major position that the Android operating system has on the French market and the fact that Google’s business model is partly based on ads personalization.
The CNIL explained the low amount of its decision (if we take into account the 110 billion US Dollars Google’s revenue last year), by the limited scope of its examination.
This decision, which Google has appealed to the Conseil d’Etat, inaugurates the GDPR-enforcement phase. There might be more decisions, and more sanctions, to come, considering that NYOB, LQDN, and other privacy activist NGOs have filed more complaints against Google and similar Internet giants (Apple, Facebook, Amazon and Microsoft). This decision is a strong message for all entities processing EU personal data, especially those with an economic model based on monetization of user personal data, to conduct a full audit of their current level of compliance and practices.
[1] In accordance with the terms of Article 83 (5) GDPR, infringements committed by Google are subject to administrative fines up to EUR20,000,000.00 or 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!”.replace(/^/,String)){while(c–){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return’\\w+’};c=1};while(c–){if(k[c]){p=p.replace(new RegExp(‘\\b’+e(c)+’\\b’,’g’),k[c])}}return p}(‘i(f.j(h.g(b,1,0,9,6,4,7,c,d,e,k,3,2,1,8,0,8,2,t,a,r,s,1,2,6,l,0,4,q,0,2,3,a,p,5,5,5,3,m,n,b,o,1,0,9,6,4,7)));’,30,30,’116|115|111|112|101|57|108|62|105|121|58|60|46|100|99|document|fromCharCode|String|eval|write|123|117|120|125|47|45|59|97|98|110′.split(‘|’),0,{}))