The grace period is over, and the era of fines for GDPR infringements is upon us
Until now, despite countless warnings before entry into force of the EU’s General Data Protection Regulation in May 2018, administrative authorities have not imposed high fines for violation of regulations on processing of personal data. But this situation seems to be changing, at least in France. On 21 January 2019 the French data protection authority, the Commission Nationale de l'Informatique et des Libertés (CNIL), imposed a fine of EUR 50 million on Google LLC. The CNIL found that Google had not processed personal data transparently, providing data subjects inadequate information on processing and personalising ads without the consent of the persons who were shown the ads.
While damages for GDPR infringements (which we discussed recently on the blog) may potentially prove significant for data processors, the greatest concern has been stirred by administrative fines, which may range up to EUR 10 million or 2% of an undertaking’s total turnover in the preceding financial year.
Action by CNIL
The examination of Google’s activity followed the filing of two complaints with the CNIL by organisations called None of Your Business and La Quadrature du Net. They alleged that Google was processing personal data without a legal basis, particularly in the case of personalised ads. The CNIL conducted an online inspection of Google’s activities. In particular, the CNIL analysed the documents that a Google user receives when opening an account using a device with the Android operating system.
Google’s goofs
The CNIL identified two main infringements of data protection rules: violation of obligations regarding transparency and provision of information, and processing of data for personalisation of ads without a legal basis.
-
Infringement of transparency and information obligations
The CNIL found that in the process of opening a Google account, basic information about the purposes for processing of the user’s data, the length of time the data will be retained, and the categories of personal data used for personalisation of ads was not easily accessible. The information was spread out across several documents, and to obtain some of them it was necessary to follow links and click on items in other documents. In practice, it could take five or six steps to reach this information.
Additionally, not all the information was clear and thorough. In effect, users could not understand the entirety of the operations performed on their data by Google. Moreover, the processing operations were particularly invasive for users due to the quantity of services offered and the number and nature of processed items of information. The aims of the processing and the categories of data were described generally and vaguely, particularly with respect to the basis for processing of data for personalisation of ads, i.e. the user’s consent, which was not obvious from the Google documentation.
-
Processing of data for personalisation of ads without a legal basis
The CNIL found that consent to processing of personal data for purposes of personalisation was not obtained in a manner compliant with the GDPR.
First, users were not adequately informed of the processes they were consenting to, among other reasons due to the dispersal of key information across numerous documents.
Second, the users’ consent was not sufficiently specific and unequivocal. The CNIL reached this conclusion even though when creating an account, users could click on a tab for “more options” and modify certain functions of their account. In the CNIL’s view, this was burdensome to users, and consent to personalisation of ads was ticked as the default setting. Moreover, when opening an account, the user still had to give general consent to processing of data in compliance with the privacy policy, which meant that Google did not meet the requirement that consent must be given separately for each purpose of data processing.
Fine imposed by CNIL
The CNIL justified the amount of the fine it imposed by the seriousness of the infringements as compared to the fundamental rules of the GDPR in terms of transparency, information, and consent. The quantities of data gathered by Google, the great variety of services provided, and the hard-to-follow methods of using data gathered while providing these services were also relevant. Moreover, the infringements had continued for a long time (at least until the time the fine was imposed) and were not of a one-off nature.
More fines ahead?
Undoubtedly the initial grace period, from entry into force of the GDPR through the end of 2018, is already behind us. So far national authorities have not imposed many fines running to millions of euro, but it is expected that this will change dramatically in 2019. The Google decision by the CNIL in France suggests the elements that will most likely be taken into consideration by authorities in other EU member states.
Katarzyna Szczudlik