24 Jan 2019

Amidst the UK’s current Brexit turmoil, you may find yourself longing for the relative certainty of this time last year when the EU’s General Data Protection Regulation (GDPR) was about to come into force. At least then your business knew what was happening, and when, and you could confidently plan, assess and implement. The situation could not be more different today.

However, as tempting as it may be to don those rose-tinted spectacles, a recent decision by the French data protection authority – the CNIL – should prompt businesses to give them a good clean before doing so and remind themselves of the risks which non-compliance with GDPR may bring.

Google sanctioned under GDPR

On 21 January, the CNIL imposed a fine of €50 million on Google for various violations of its obligations under the GDPR. These primarily related to the ad personalisation functionality across the various services it offers to account holders (including Google search, YouTube, Google home, Google maps, Play store, and Google pictures).

On top of the fine, and more significantly for Google, the CNIL found Google’s processing activities were unlawful, which means they can no longer process data in this way until they change their practices. It’s hard to know, therefore, what the true financial cost of this decision will be for Google.

Google’s violations

First, Google failed to provide users, in a sufficiently transparent way, with essential information about the purposes for which their personal data was stored, the periods for which it was stored and the categories of personal data it processed. The information Google provided failed in two respects:

  1. it was spread across several pages which required users to click up to 5 or 6 times to access it all; and
  2. there was not sufficient detail and clarity to enable users “to fully understand the extent of the processing operations carried out by Google”.

Second, Google failed to validly obtain the user’s consent regarding ad personalisation. When setting up an account, a user had to tick a box to agree to their personal data being processed in accordance with Google’s privacy policy. They could opt out of ad personalisation, but this was buried in the “more options” section of their account settings and, moreover, the box giving consent was pre-ticked. The user’s consent, and therefore Google’s lawful basis for processing, was not validly obtained because:

  1. the general nature of the first tick box meant the consent was not specific enough, as it had not been given expressly for the purpose of ad personalisation;
  2. the information failings described above also meant that users could not give specific consent to the relevant processing; and
  3. the pre-ticked box did not require “clear affirmative action” from the user and so consent was not unambiguous, as required by GDPR.

The CNIL justified the €50 million fine on the basis that the breaches were severe infringements “regarding the essential principles of the GDPR: transparency, information and consent”.

Though considerable, the fine could theoretically have been even greater. Under GDPR, data protection authorities can levy fines up to €20 million or 4% of the total worldwide annual turnover of the relevant undertaking (note, not just the particular group entity in question).

This is the second decision in recent months affecting ad-tech companies, and Google follows Vectaury in falling foul of the CNIL. Furthermore, the definition of consent adopted by the CNIL was not particularly strict or unusual. It’s quite possible a similar approach to interpretation and enforcement could be adopted by other data protection authorities across the EU. That’s something of which Google and other ad businesses should take note.

Ongoing compliance

While you may have already implemented your GDPR policies, it’s important to remember that compliance with these rules is an ongoing concern. Among your other duties, you need to safeguard yourself by keeping your data protection policies, privacy notices and security measures up to date with technology, and your own data handling practices.

In terms of consent, the ICO has published its expectations around consent management. This is essential reference for organisations that rely on consent as a lawful ground for processing personal data.

If your organisation is based in the UK or sends personal data to/from the UK, Brexit – in whatever form it comes – will not reduce your GDPR obligations, and may possibly increase them. For our overview of what happens in each Brexit scenario, please see our blog here.

To keep up-to-date with similar news and insights please sign up to our newsletter, or to discuss the issues raised in this article, please get in touch.