As if 2018 wasn’t eventful enough in terms of data protection, 2019 has certainly started with a bang. On 21 January, Google was issued with a €55 million fine by CNIL, the French data protection regulator - the first major fine to be imposed under the General Data Protection Regulation.
Google was penalised for (i) a failure to comply with the GDPR requirements to provide transparent information to data subjects via its Android operating system and (ii) having no legal basis (as required under Article 6) for processing personal data in respect of its personalised adverts function.
The provision of information to data subjects was particularly important given the "massive and intrusive" nature of Google's varied data processing operations, including the likes of Google Maps and YouTube. The information provided was apparently unclear and didn’t set out the legal basis on which Google was relying (a mixture of consent and legitimate interests) to process the data. In addition, the information was scattered across a number of documents, some of which required users to click five or six links before reaching the information.
Stemming from this, CNIL (Commission Nationale de l'Informatique et des Libertés) found that Google had violated the obligations for transparency and information and as such, users could not be said to have given the type of consent required by GDPR – "specific" and "unambiguous".
CNIL justified the size of the fine by noting the severity of infringements of essential principles of transparency, information and consent. The breach was also continuing, involved a vast amount of data and related to an important system (i.e. Android) on the French market.
The key message?
The lesson to be learned is undoubtedly clear – users of services must be provided with easily accessible, concise information to enable them to understand fully the extent of the processing of their data. Without this information, it is unlikely that the consent that they are asked to provide will be GDPR-standard consent.
CNIL's response demonstrates that regulators are not afraid to get tough, particularly with the international tech giants and their opaque use of personal data. However, whilst it's likely that regulators will be keen to pursue the Googles, Facebooks and Amazons of this world, it is an important reminder for all businesses to check they are not making similar mistakes.
Businesses, especially online retailers should also think carefully about where and how they interact with the technology giants and whether any revenue streams depend on Google, Facebook and others continuing to operate in a particular way when it comes to personal data. In short, if the tech giants are forced to make operational changes, it will have a knock-on impact across many sectors, and businesses should carry out a risk analysis of that impact.
What should you be doing?
Transparent, clear and easy to understand information about data processing activities is the key here.
Businesses would be wise to review the accessibility of the information they provide to data subjects and check privacy policies for generic and vague descriptions; the more specific a business can be, the more helpful and informative it is to individuals.
This is especially important if you rely on consent to process personal data. The language and basis for processing must meet the conditions for valid consent (i.e. that it is informed, unambiguous, freely given and consists of an affirmative action). Google's tickbox that stated "I agree to the processing of my information as described above, and further explained in the Privacy Policy" was too vague, and a pre-ticked box to obtain consent to personalised adverts was not GDPR-compliant.
The other key point relates to your back office: there is no doubt that putting privacy by design at the heart of your business processes and systems is crucial in helping you to get a grip on your processing of personal data.
This in turn will help you better understand the personal data your business collects and processes, what it will do with it, and who it shares it with, which will make it easier for you to be transparent and clear in the information you provide to individuals, and stand you in good stead in your compliance with GDPR.
Privacy by design is something which we are seeing more and more, with many clients now asking us for advice on how they put this at the heart of, for example, their online advertising strategies.
